I am having a problem almost the same as Rickard Eriksson was here: http://lists.shorewall.net/pipermail/shorewall-users/2002-October/003081.htm l except it appears when Shorewall is trying to (I think) set up the DNAT chains. Syslog output: May 15 15:50:30 hcocntf shorewall: Configuring Proxy ARP May 15 15:50:30 hcocntf shorewall: Setting up NAT... May 15 15:50:30 hcocntf shorewall: iptables: Invalid argument May 15 15:50:30 hcocntf shorewall: Processing /etc/shorewall/stop ... May 15 15:50:30 hcocntf shorewall: Processing /etc/shorewall/stopped ... May 15 15:50:30 hcocntf logger: Shorewall Stopped May 15 15:50:30 hcocntf rc: Starting shorewall: failed Output from ''shorewall debug start 2>/tmp/trace'' indicates: + createnatchain eth3_in + run_iptables -t nat -N eth3_in + iptables -t nat -N eth3_in + eval eth3_in_nat_exists=Yes ++ eth3_in_nat_exists=Yes + run_iptables2 -t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination 10.100.4.7 + ''['' ''x-t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination 10.100.4.7'' = ''x-t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination 10.100.4.7'' '']'' + run_iptables -t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination 10.100.4.7 + iptables -t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination 10.100.4.7 iptables: Invalid argument + ''['' -z '''' '']'' + stop_firewall + set +x This happens no matter what I have tried after patching the kernel with the 01/07/03 netfilter patch-o-matics''s ip_conntrack_pptp and ip_conntrack_gre. The background story to all this was that I had a PPTP server running on the firewall, and it was working perfectly...then all the sudden it started refusing client connections with an error 619 on the Windows side. I don''t know if I just got lucky the first few times around or what. I then installed a newer RH kernel, which seemed to resolve the problem temporarily-the second time I tried to connect I was back to the Error 619. I decided then that I needed to do a custom kernel like I had been running a few months back. I intended on patching it with some stuff from like. grsecurity, the pptp conntrack P-O-M patch, the kernel-mppe patch, etc. However Shorewall would no longer start after that. Following a long and drawn out troubleshooting process I determined that the pptp conntrack stuff was causing Shorewall to not start. I am running Shorewall 1.4.2, and was trying to patch against plain vanilla (from kernel.org) 2.4.20 sources. Anyone have any ideas where I am screwing this thing up? --Levi Masterson --System Administrator --HCOCNTF.ORG
On Fri, 16 May 2003 08:16:39 -0500, Levi Masterson <lmasterson@hcocntf.org> wrote:> I am having a problem almost the same as Rickard Eriksson was here: > http://lists.shorewall.net/pipermail/shorewall-users/2002- > October/003081.htm > l except it appears when Shorewall is trying to (I think) set up the DNAT > chains.> + iptables -t nat -A eth3_in -d 209.184.91.130 -j DNAT --to-destination > 10.100.4.7 > iptables: Invalid argument > + ''['' -z '''' '']'' > + stop_firewall > + set +x > > > This happens no matter what I have tried after patching the kernel with > the > 01/07/03 netfilter patch-o-matics''s ip_conntrack_pptp and > ip_conntrack_gre.You must build and use the version of iptables that matches the version of patch-o-matic that you are using. I ran into a similar problem when I tried to use the ip_conntrack_pptp patch. Of course once I solved that problem, my firewall crashed every 5 minutes.... :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Thanks for the quick reply Tom. That makes perfect sense, but I am still having problems making it work. Here''s what I tried: Plain 2.4.20 from kernel.org patched with GRE/PPTP stuff from POM iptables 1.2.7a RedHat RPM Patch-o-matic-20030107 from netfilter.org Shorewall quits trying to load when it gets to the DNAT stuff. "Invaild Argument" Plain 2.4.20 patched with GRE/PPTP stuff from POM iptables 1.2.8 from netfilter.org Patch-o-matic-20030107 from netfilter.org Same thing... Shorewall quits trying to load when it gets to the DNAT stuff. Plain 2.4.20...patched with GRE/PPTP from POM iptables 1.2.8 Patch-o-matic-20030515 from netfilter CVS Same thing again. Then I tried patching the kernel up to 2.4.21-rc2-ac2 before patching with POM. Still the same problems. So my question is this... what''s the voodoo behind figuring out what POM goes with what iptables release? --Levi
On Tue, 20 May 2003 14:49:46 -0500, Levi Masterson <lmasterson@hcocntf.org> wrote:> > So my question is this... what''s the voodoo behind figuring out what POM > goes with what iptables release? >To start with, post your POM/netfilter questions on the Netfilter list and not on the Shorewall list. -Tom PS -- unless you uninstalled the RedHat RPM before installing your version of iptables, you are almost certainly still running the former... -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 20 May 2003 13:06:14 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > To start with, post your POM/netfilter questions on the Netfilter list > and not on the Shorewall list. > >Sorry -- that came out harsher than I meant it to. What I''m nevertheless trying to say is that the netfilter list is a much better source of this type of information than this list is... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Well <g> It might just be me (not having the advantage of a native English speaker) that you sound rough now and then. On the other hand it is part of your charm. As long as the info supplied keeps as good as it is no one will care. Axel -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Dienstag, 20. Mai 2003 22:12 To: Tom Eastep; Levi Masterson; shorewall-users@lists.shorewall.net On Tue, 20 May 2003 13:06:14 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > To start with, post your POM/netfilter questions on the Netfilter list> and not on the Shorewall list. > >Sorry -- that came out harsher than I meant it to. What I''m nevertheless trying to say is that the netfilter list is a much better source of this type of information than this list is... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Tue, 20 May 2003 20:16:26 -0000, <Axel@congos.net> wrote:> > Well <g> It might just be me (not having the advantage of a native > English speaker) that you sound rough now and then.I know that I do; it seems to happen on most of the mailing lists that I subscribe to -- the person who answers the bulk of the questions eventually begins to develop a sharp edge. I''ve known people who have been in support for years and still enjoy it; I don''t know how they do it...> On the other hand it is part of your charm. As long as the info supplied > keeps as good as it is no one will care.:-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I can say I almost knew better before I hit send. I was just hoping that since you more or less saw what the problem was when I sent the first query, you might be able to answer the second one, since it was along the same thread and others (maybe) could run into the same problem. As for the iptables thing, you are correct--didn''t remove the RPM, so there''s a /usr/local/sbin/iptables that''s 1.2.8 and a /sbin/iptables that''s 1.2.6a. Good call. I''ll go subscribe to (and search the archives for) the answer to my other question in the netfilter list now and go back to lurker mode here... Regardless, Shorewall is a great thing and it makes my firewalls so much easier to administer--and has great support here on the list. --Thanks Tom-- --Levi Masterson
On Wed, 21 May 2003 09:09:33 -0500, Levi Masterson <lmasterson@hcocntf.org> wrote:> > As for the iptables thing, you are correct--didn''t remove the RPM, so > there''s a /usr/local/sbin/iptables that''s 1.2.8 and a /sbin/iptables > that''s > 1.2.6a. Good call.I''ve been cut by that sharp edge myself. You can make shorewall use the one in /usr/local/sbin/ by setting the PATH in shorewall.conf appropriately (after I bandaged my finger, I added the PATH setting to shorewall.conf :-) .> > Regardless, Shorewall is a great thing and it makes my firewalls so much > easier to administer--and has great support here on the list.Thanks, Levi -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net