Shorewall users - Sep 2003 - iptables: Invalid argument

Here''s what I''m seeing when I try to start shorewall:

[root@jed shorewall]# ../init.d/shorewall restart
Processing /etc/shorewall/params ...
Shorewall Not Currently Running
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
   Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "ACCEPT fw net tcp 53" added.
   Rule "ACCEPT fw net udp 53" added.
   Rule "ACCEPT loc net tcp 53" added.
   Rule "ACCEPT loc net udp 53" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT loc net tcp 22" added.
   Rule "ACCEPT loc fw icmp 8" added.
   Rule "ACCEPT net fw icmp 8" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy DROP for net to fw using chain net2all
   Policy ACCEPT for loc to fw using chain loc2all
   Policy ACCEPT for loc to net using chain loc2net
Masqueraded Subnets and Hosts:
iptables: Invalid argument
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated


I noticed from the above that the something was wrong in the masq file, so 
I removed it and then shorewall started OK (but masquerading doesn''t
work
because there''s no masq file).  My masq file only contains the
following:

#INTERFACE	        SUBNET		ADDRESS
ppp0                    eth0


...that''s it.  I connect to the internet via ppp0 and eth0 conntects to
the hub and two other computers.

shorewall version:
1.3.14a

uname -a
Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002 i686 

Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the 2.4.21 kernel which 
came with 9.1 caused my system to hang when accessing the CDROM, so I''m
using the older one - BTW: I was running shorewall on this machine/kernel 
prior to the upgrade to 9.1, the kernel is identical to the one I used 
with 9.0 which was running shorewall OK.)

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: e

th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514 qdisc pfifo_fast qlen 3
    link/ppp
    inet 216.99.219.54 peer 208.130.244.122/32 scope global ppp0


ip route show
208.130.244.122 dev ppp0  proto kernel  scope link  src 216.99.219.54
255.255.255.255 dev eth0  scope link
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 208.130.244.122 dev ppp0

Here''s the trace from where the masq file is searched for:

++ find_file masq
++ ''['' -n '''' -a -f /masq
'']''
++ echo /etc/shorewall/masq
+ masq=/etc/shorewall/masq
+ ''['' -f /etc/shorewall/masq '']''
+ setup_masq /etc/shorewall/masq
+ strip_file masq /etc/shorewall/masq
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/masq
+ ''['' -f /etc/shorewall/masq '']''
+ cut -d# -f1 /etc/shorewall/masq
+ grep -v ''^[[:space:]]*$''
+ ''['' -n Yes '']''
+ echo ''Masqueraded Subnets and Hosts:''
+ read fullinterface subnet address
+ expandv fullinterface subnet address
+ local varval
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$fullinterface''
++ varval=ppp0
+ eval ''fullinterface="ppp0"''
++ fullinterface=ppp0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=eth0
+ eval ''subnet="eth0"''
++ subnet=eth0
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$address''
++ varval+ eval ''address=""''
++ address+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' -n Yes '']''
+ setup_one
+ local using
+ destnet=0.0.0.0/0
+ interface=ppp0
+ list_search ppp0 ppp0 eth0
+ local e=ppp0
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xppp0 = xppp0 '']''
+ return 0
+ ''['' eth0 = eth0 '']''
+ nomasq++ masq_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_masq
+ chain=ppp0_masq
+ iface+ source=eth0
++ get_routed_subnets eth0
++ local address
++ local rest
++ ip route show dev eth0
++ read address rest
++ echo 255.255.255.255/32
++ read address rest
++ echo 192.168.0.0/24
++ read address rest
+ subnets=255.255.255.255/32
192.168.0.0/24
+ ''['' -z ''255.255.255.255/32
192.168.0.0/24'' '']''
+ subnet=255.255.255.255/32
192.168.0.0/24
+ ''['' -n '''' -a -n ''''
'']''
+ destination=0.0.0.0/0
+ ''['' -n '''' '']''
+ destnet=-d 0.0.0.0/0
+ ''['' -n ''255.255.255.255/32
192.168.0.0/24'' '']''
+ ''['' -n '''' '']''
+ addnatrule ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE
+ ensurenatchain ppp0_masq
+ havenatchain ppp0_masq
+ eval test ''"$ppp0_masq_nat_exists"'' = Yes
++ test '''' = Yes
+ createnatchain ppp0_masq
+ run_iptables -t nat -N ppp0_masq
+ iptables -t nat -N ppp0_masq
+ eval ppp0_masq_nat_exists=Yes
++ ppp0_masq_nat_exists=Yes
+ run_iptables2 -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
MASQUERADE
+ ''['' ''x-t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
MASQUERADE'' = ''x-t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
MASQUERADE'' '']''
+ run_iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
MASQUERADE
+ iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
MASQUERADE
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x

This is _not_ the version of shorewall that came with Mandrake (I heeded 
the instructions in the quick start which said to remove Mandrake''s 
shorewall package and install one from the shorewall site).

Phil

Phil:

You are starting shorewall before the interface is up...
use the /etc/ppp/ip-up.local file to (re)start shorewall

see:
http://www.shorewall.net/starting_and_stopping_shorewall.htm
Important Notes: 2

Jerry Vonau





----- Original Message -----
From: "Phil Tomson" <ptkwt@aracnet.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, September 09, 2003 07:35 PM
Subject: [Shorewall-users] iptables: Invalid argument

>
> Here''s what I''m seeing when I try to start shorewall:
>
> [root@jed shorewall]# ../init.d/shorewall restart
> Processing /etc/shorewall/params ...
> Shorewall Not Currently Running
> Starting Shorewall...
> Loading Modules...
> Initializing...
> Determining Zones...
>    Zones: net loc
> Validating interfaces file...
> Validating hosts file...
> Validating Policy file...
> Determining Hosts in Zones...
>    Net Zone: ppp0:0.0.0.0/0
>    Local Zone: eth0:0.0.0.0/0
> Processing /etc/shorewall/init ...
> Deleting user chains...
> Creating input Chains...
> Configuring Proxy ARP
> Setting up NAT...
> Adding Common Rules
> Adding rules for DHCP
> IP Forwarding Enabled
> Processing /etc/shorewall/tunnels...
> Processing /etc/shorewall/rules...
>    Rule "ACCEPT fw net tcp 53" added.
>    Rule "ACCEPT fw net udp 53" added.
>    Rule "ACCEPT loc net tcp 53" added.
>    Rule "ACCEPT loc net udp 53" added.
>    Rule "ACCEPT loc fw tcp 22" added.
>    Rule "ACCEPT loc net tcp 22" added.
>    Rule "ACCEPT loc fw icmp 8" added.
>    Rule "ACCEPT net fw icmp 8" added.
> Processing /etc/shorewall/policy...
>    Policy ACCEPT for fw to net using chain fw2net
>    Policy ACCEPT for fw to loc using chain fw2loc
>    Policy DROP for net to fw using chain net2all
>    Policy ACCEPT for loc to fw using chain loc2all
>    Policy ACCEPT for loc to net using chain loc2net
> Masqueraded Subnets and Hosts:
> iptables: Invalid argument
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/stopped ...
> Terminated
>
>
> I noticed from the above that the something was wrong in the masq file, so
> I removed it and then shorewall started OK (but masquerading
doesn''t work
> because there''s no masq file).  My masq file only contains the
following:
>
> #INTERFACE         SUBNET ADDRESS
> ppp0                    eth0
>
>
> ...that''s it.  I connect to the internet via ppp0 and eth0
conntects to
> the hub and two other computers.
>
> shorewall version:
> 1.3.14a
>
> uname -a
> Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002 i686
>
> Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the 2.4.21 kernel which
> came with 9.1 caused my system to hang when accessing the CDROM, so
I''m
> using the older one - BTW: I was running shorewall on this machine/kernel
> prior to the upgrade to 9.1, the kernel is identical to the one I used
> with 9.0 which was running shorewall OK.)
>
> ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: e
>
> th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514 qdisc pfifo_fast
qlen 3
>     link/ppp
>     inet 216.99.219.54 peer 208.130.244.122/32 scope global ppp0
>
>
> ip route show
> 208.130.244.122 dev ppp0  proto kernel  scope link  src 216.99.219.54
> 255.255.255.255 dev eth0  scope link
> 192.168.0.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 208.130.244.122 dev ppp0
>
> Here''s the trace from where the masq file is searched for:
>
> ++ find_file masq
> ++ ''['' -n '''' -a -f /masq
'']''
> ++ echo /etc/shorewall/masq
> + masq=/etc/shorewall/masq
> + ''['' -f /etc/shorewall/masq '']''
> + setup_masq /etc/shorewall/masq
> + strip_file masq /etc/shorewall/masq
> + local fname
> + ''['' 2 = 1 '']''
> + fname=/etc/shorewall/masq
> + ''['' -f /etc/shorewall/masq '']''
> + cut -d# -f1 /etc/shorewall/masq
> + grep -v ''^[[:space:]]*$''
> + ''['' -n Yes '']''
> + echo ''Masqueraded Subnets and Hosts:''
> + read fullinterface subnet address
> + expandv fullinterface subnet address
> + local varval
> + ''['' 3 -gt 0 '']''
> + eval ''varval=$fullinterface''
> ++ varval=ppp0
> + eval ''fullinterface="ppp0"''
> ++ fullinterface=ppp0
> + shift
> + ''['' 2 -gt 0 '']''
> + eval ''varval=$subnet''
> ++ varval=eth0
> + eval ''subnet="eth0"''
> ++ subnet=eth0
> + shift
> + ''['' 1 -gt 0 '']''
> + eval ''varval=$address''
> ++ varval> + eval ''address=""''
> ++ address> + shift
> + ''['' 0 -gt 0 '']''
> + ''['' -n Yes '']''
> + setup_one
> + local using
> + destnet=0.0.0.0/0
> + interface=ppp0
> + list_search ppp0 ppp0 eth0
> + local e=ppp0
> + ''['' 3 -gt 1 '']''
> + shift
> + ''['' xppp0 = xppp0 '']''
> + return 0
> + ''['' eth0 = eth0 '']''
> + nomasq> ++ masq_chain ppp0
> +++ chain_base ppp0
> +++ local c=ppp0
> +++ echo ppp0
> ++ echo ppp0_masq
> + chain=ppp0_masq
> + iface> + source=eth0
> ++ get_routed_subnets eth0
> ++ local address
> ++ local rest
> ++ ip route show dev eth0
> ++ read address rest
> ++ echo 255.255.255.255/32
> ++ read address rest
> ++ echo 192.168.0.0/24
> ++ read address rest
> + subnets=255.255.255.255/32
> 192.168.0.0/24
> + ''['' -z ''255.255.255.255/32
> 192.168.0.0/24'' '']''
> + subnet=255.255.255.255/32
> 192.168.0.0/24
> + ''['' -n '''' -a -n ''''
'']''
> + destination=0.0.0.0/0
> + ''['' -n '''' '']''
> + destnet=-d 0.0.0.0/0
> + ''['' -n ''255.255.255.255/32
> 192.168.0.0/24'' '']''
> + ''['' -n '''' '']''
> + addnatrule ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE
> + ensurenatchain ppp0_masq
> + havenatchain ppp0_masq
> + eval test ''"$ppp0_masq_nat_exists"'' = Yes
> ++ test '''' = Yes
> + createnatchain ppp0_masq
> + run_iptables -t nat -N ppp0_masq
> + iptables -t nat -N ppp0_masq
> + eval ppp0_masq_nat_exists=Yes
> ++ ppp0_masq_nat_exists=Yes
> + run_iptables2 -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> MASQUERADE
> + ''['' ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> MASQUERADE'' = ''x-t nat -A ppp0_masq -s 255.255.255.255/32
-d 0.0.0.0/0 -j
> MASQUERADE'' '']''
> + run_iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> MASQUERADE
> + iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> MASQUERADE
> iptables: Invalid argument
> + ''['' -z '''' '']''
> + stop_firewall
> + set +x
>
> This is _not_ the version of shorewall that came with Mandrake (I heeded
> the instructions in the quick start which said to remove
Mandrake''s
> shorewall package and install one from the shorewall site).
>
> Phil
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

I was starting shorewall _after_ ppp0 was up.  

Phil

On Tue, 9 Sep 2003, Jerry Vonau wrote:
> Phil:
> 
> You are starting shorewall before the interface is up...
> use the /etc/ppp/ip-up.local file to (re)start shorewall
> 
> see:
> http://www.shorewall.net/starting_and_stopping_shorewall.htm
> Important Notes: 2
> 
> Jerry Vonau
> 
> 
> 
> 
> 
> ----- Original Message -----
> From: "Phil Tomson" <ptkwt@aracnet.com>
> To: <shorewall-users@lists.shorewall.net>
> Sent: Tuesday, September 09, 2003 07:35 PM
> Subject: [Shorewall-users] iptables: Invalid argument
> 
> 
> >
> > Here''s what I''m seeing when I try to start
shorewall:
> >
> > [root@jed shorewall]# ../init.d/shorewall restart
> > Processing /etc/shorewall/params ...
> > Shorewall Not Currently Running
> > Starting Shorewall...
> > Loading Modules...
> > Initializing...
> > Determining Zones...
> >    Zones: net loc
> > Validating interfaces file...
> > Validating hosts file...
> > Validating Policy file...
> > Determining Hosts in Zones...
> >    Net Zone: ppp0:0.0.0.0/0
> >    Local Zone: eth0:0.0.0.0/0
> > Processing /etc/shorewall/init ...
> > Deleting user chains...
> > Creating input Chains...
> > Configuring Proxy ARP
> > Setting up NAT...
> > Adding Common Rules
> > Adding rules for DHCP
> > IP Forwarding Enabled
> > Processing /etc/shorewall/tunnels...
> > Processing /etc/shorewall/rules...
> >    Rule "ACCEPT fw net tcp 53" added.
> >    Rule "ACCEPT fw net udp 53" added.
> >    Rule "ACCEPT loc net tcp 53" added.
> >    Rule "ACCEPT loc net udp 53" added.
> >    Rule "ACCEPT loc fw tcp 22" added.
> >    Rule "ACCEPT loc net tcp 22" added.
> >    Rule "ACCEPT loc fw icmp 8" added.
> >    Rule "ACCEPT net fw icmp 8" added.
> > Processing /etc/shorewall/policy...
> >    Policy ACCEPT for fw to net using chain fw2net
> >    Policy ACCEPT for fw to loc using chain fw2loc
> >    Policy DROP for net to fw using chain net2all
> >    Policy ACCEPT for loc to fw using chain loc2all
> >    Policy ACCEPT for loc to net using chain loc2net
> > Masqueraded Subnets and Hosts:
> > iptables: Invalid argument
> > Processing /etc/shorewall/stop ...
> > Processing /etc/shorewall/stopped ...
> > Terminated
> >
> >
> > I noticed from the above that the something was wrong in the masq
file, so
> > I removed it and then shorewall started OK (but masquerading
doesn''t work
> > because there''s no masq file).  My masq file only contains
the following:
> >
> > #INTERFACE         SUBNET ADDRESS
> > ppp0                    eth0
> >
> >
> > ...that''s it.  I connect to the internet via ppp0 and eth0
conntects to
> > the hub and two other computers.
> >
> > shorewall version:
> > 1.3.14a
> >
> > uname -a
> > Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002 i686
> >
> > Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the 2.4.21 kernel
which
> > came with 9.1 caused my system to hang when accessing the CDROM, so
I''m
> > using the older one - BTW: I was running shorewall on this
machine/kernel
> > prior to the upgrade to 9.1, the kernel is identical to the one I used
> > with 9.0 which was running shorewall OK.)
> >
> > ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: e
> >
> > th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> >     link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> > 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514 qdisc
pfifo_fast qlen 3
> >     link/ppp
> >     inet 216.99.219.54 peer 208.130.244.122/32 scope global ppp0
> >
> >
> > ip route show
> > 208.130.244.122 dev ppp0  proto kernel  scope link  src 216.99.219.54
> > 255.255.255.255 dev eth0  scope link
> > 192.168.0.0/24 dev eth0  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 208.130.244.122 dev ppp0
> >
> > Here''s the trace from where the masq file is searched for:
> >
> > ++ find_file masq
> > ++ ''['' -n '''' -a -f /masq
'']''
> > ++ echo /etc/shorewall/masq
> > + masq=/etc/shorewall/masq
> > + ''['' -f /etc/shorewall/masq '']''
> > + setup_masq /etc/shorewall/masq
> > + strip_file masq /etc/shorewall/masq
> > + local fname
> > + ''['' 2 = 1 '']''
> > + fname=/etc/shorewall/masq
> > + ''['' -f /etc/shorewall/masq '']''
> > + cut -d# -f1 /etc/shorewall/masq
> > + grep -v ''^[[:space:]]*$''
> > + ''['' -n Yes '']''
> > + echo ''Masqueraded Subnets and Hosts:''
> > + read fullinterface subnet address
> > + expandv fullinterface subnet address
> > + local varval
> > + ''['' 3 -gt 0 '']''
> > + eval ''varval=$fullinterface''
> > ++ varval=ppp0
> > + eval ''fullinterface="ppp0"''
> > ++ fullinterface=ppp0
> > + shift
> > + ''['' 2 -gt 0 '']''
> > + eval ''varval=$subnet''
> > ++ varval=eth0
> > + eval ''subnet="eth0"''
> > ++ subnet=eth0
> > + shift
> > + ''['' 1 -gt 0 '']''
> > + eval ''varval=$address''
> > ++ varval> > + eval ''address=""''
> > ++ address> > + shift
> > + ''['' 0 -gt 0 '']''
> > + ''['' -n Yes '']''
> > + setup_one
> > + local using
> > + destnet=0.0.0.0/0
> > + interface=ppp0
> > + list_search ppp0 ppp0 eth0
> > + local e=ppp0
> > + ''['' 3 -gt 1 '']''
> > + shift
> > + ''['' xppp0 = xppp0 '']''
> > + return 0
> > + ''['' eth0 = eth0 '']''
> > + nomasq> > ++ masq_chain ppp0
> > +++ chain_base ppp0
> > +++ local c=ppp0
> > +++ echo ppp0
> > ++ echo ppp0_masq
> > + chain=ppp0_masq
> > + iface> > + source=eth0
> > ++ get_routed_subnets eth0
> > ++ local address
> > ++ local rest
> > ++ ip route show dev eth0
> > ++ read address rest
> > ++ echo 255.255.255.255/32
> > ++ read address rest
> > ++ echo 192.168.0.0/24
> > ++ read address rest
> > + subnets=255.255.255.255/32
> > 192.168.0.0/24
> > + ''['' -z ''255.255.255.255/32
> > 192.168.0.0/24'' '']''
> > + subnet=255.255.255.255/32
> > 192.168.0.0/24
> > + ''['' -n '''' -a -n
'''' '']''
> > + destination=0.0.0.0/0
> > + ''['' -n '''' '']''
> > + destnet=-d 0.0.0.0/0
> > + ''['' -n ''255.255.255.255/32
> > 192.168.0.0/24'' '']''
> > + ''['' -n '''' '']''
> > + addnatrule ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
MASQUERADE
> > + ensurenatchain ppp0_masq
> > + havenatchain ppp0_masq
> > + eval test ''"$ppp0_masq_nat_exists"'' =
Yes
> > ++ test '''' = Yes
> > + createnatchain ppp0_masq
> > + run_iptables -t nat -N ppp0_masq
> > + iptables -t nat -N ppp0_masq
> > + eval ppp0_masq_nat_exists=Yes
> > ++ ppp0_masq_nat_exists=Yes
> > + run_iptables2 -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
-j
> > MASQUERADE
> > + ''['' ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > MASQUERADE'' = ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > MASQUERADE'' '']''
> > + run_iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
-j
> > MASQUERADE
> > + iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> > MASQUERADE
> > iptables: Invalid argument
> > + ''['' -z '''' '']''
> > + stop_firewall
> > + set +x
> >
> > This is _not_ the version of shorewall that came with Mandrake (I
heeded
> > the instructions in the quick start which said to remove
Mandrake''s
> > shorewall package and install one from the shorewall site).
> >
> > Phil
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hard to say without any experience picking apart iptables data. I''m
surprised no one has answered
this yet. Phil it looks as though you''ve given all the correct info. If
this isn''t working then I
would uninstall this and reinstall. You have a setup similar to mine. Really
doesn''t get any
easier than the way you have this setup. So a simple unistall reinstall is a
very simple work
around for now. Thats if you need this working ASP.

Wish I could''ve been more helpful. The only thing that I was thinking
is that there was possibly
some whitespace detected when you edited a file...Thats just a guess..

JBanks
--- Phil Tomson <ptkwt@aracnet.com> wrote:
> 
> 
> I was starting shorewall _after_ ppp0 was up.  
> 
> Phil
> 
> On Tue, 9 Sep 2003, Jerry Vonau wrote:
> 
> > Phil:
> > 
> > You are starting shorewall before the interface is up...
> > use the /etc/ppp/ip-up.local file to (re)start shorewall
> > 
> > see:
> > http://www.shorewall.net/starting_and_stopping_shorewall.htm
> > Important Notes: 2
> > 
> > Jerry Vonau
> > 
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > From: "Phil Tomson" <ptkwt@aracnet.com>
> > To: <shorewall-users@lists.shorewall.net>
> > Sent: Tuesday, September 09, 2003 07:35 PM
> > Subject: [Shorewall-users] iptables: Invalid argument
> > 
> > 
> > >
> > > Here''s what I''m seeing when I try to start
shorewall:
> > >
> > > [root@jed shorewall]# ../init.d/shorewall restart
> > > Processing /etc/shorewall/params ...
> > > Shorewall Not Currently Running
> > > Starting Shorewall...
> > > Loading Modules...
> > > Initializing...
> > > Determining Zones...
> > >    Zones: net loc
> > > Validating interfaces file...
> > > Validating hosts file...
> > > Validating Policy file...
> > > Determining Hosts in Zones...
> > >    Net Zone: ppp0:0.0.0.0/0
> > >    Local Zone: eth0:0.0.0.0/0
> > > Processing /etc/shorewall/init ...
> > > Deleting user chains...
> > > Creating input Chains...
> > > Configuring Proxy ARP
> > > Setting up NAT...
> > > Adding Common Rules
> > > Adding rules for DHCP
> > > IP Forwarding Enabled
> > > Processing /etc/shorewall/tunnels...
> > > Processing /etc/shorewall/rules...
> > >    Rule "ACCEPT fw net tcp 53" added.
> > >    Rule "ACCEPT fw net udp 53" added.
> > >    Rule "ACCEPT loc net tcp 53" added.
> > >    Rule "ACCEPT loc net udp 53" added.
> > >    Rule "ACCEPT loc fw tcp 22" added.
> > >    Rule "ACCEPT loc net tcp 22" added.
> > >    Rule "ACCEPT loc fw icmp 8" added.
> > >    Rule "ACCEPT net fw icmp 8" added.
> > > Processing /etc/shorewall/policy...
> > >    Policy ACCEPT for fw to net using chain fw2net
> > >    Policy ACCEPT for fw to loc using chain fw2loc
> > >    Policy DROP for net to fw using chain net2all
> > >    Policy ACCEPT for loc to fw using chain loc2all
> > >    Policy ACCEPT for loc to net using chain loc2net
> > > Masqueraded Subnets and Hosts:
> > > iptables: Invalid argument
> > > Processing /etc/shorewall/stop ...
> > > Processing /etc/shorewall/stopped ...
> > > Terminated
> > >
> > >
> > > I noticed from the above that the something was wrong in the masq
file, so
> > > I removed it and then shorewall started OK (but masquerading
doesn''t work
> > > because there''s no masq file).  My masq file only
contains the following:
> > >
> > > #INTERFACE         SUBNET ADDRESS
> > > ppp0                    eth0
> > >
> > >
> > > ...that''s it.  I connect to the internet via ppp0 and
eth0 conntects to
> > > the hub and two other computers.
> > >
> > > shorewall version:
> > > 1.3.14a
> > >
> > > uname -a
> > > Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002
i686
> > >
> > > Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the 2.4.21
kernel which
> > > came with 9.1 caused my system to hang when accessing the CDROM,
so I''m
> > > using the older one - BTW: I was running shorewall on this
machine/kernel
> > > prior to the upgrade to 9.1, the kernel is identical to the one I
used
> > > with 9.0 which was running shorewall OK.)
> > >
> > > ip addr show
> > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> > >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > > 2: e
> > >
> > > th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 100
> > >     link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
> > >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> > > 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514 qdisc
pfifo_fast qlen 3
> > >     link/ppp
> > >     inet 216.99.219.54 peer 208.130.244.122/32 scope global ppp0
> > >
> > >
> > > ip route show
> > > 208.130.244.122 dev ppp0  proto kernel  scope link  src
216.99.219.54
> > > 255.255.255.255 dev eth0  scope link
> > > 192.168.0.0/24 dev eth0  scope link
> > > 127.0.0.0/8 dev lo  scope link
> > > default via 208.130.244.122 dev ppp0
> > >
> > > Here''s the trace from where the masq file is searched
for:
> > >
> > > ++ find_file masq
> > > ++ ''['' -n '''' -a -f /masq
'']''
> > > ++ echo /etc/shorewall/masq
> > > + masq=/etc/shorewall/masq
> > > + ''['' -f /etc/shorewall/masq
'']''
> > > + setup_masq /etc/shorewall/masq
> > > + strip_file masq /etc/shorewall/masq
> > > + local fname
> > > + ''['' 2 = 1 '']''
> > > + fname=/etc/shorewall/masq
> > > + ''['' -f /etc/shorewall/masq
'']''
> > > + cut -d# -f1 /etc/shorewall/masq
> > > + grep -v ''^[[:space:]]*$''
> > > + ''['' -n Yes '']''
> > > + echo ''Masqueraded Subnets and Hosts:''
> > > + read fullinterface subnet address
> > > + expandv fullinterface subnet address
> > > + local varval
> > > + ''['' 3 -gt 0 '']''
> > > + eval ''varval=$fullinterface''
> > > ++ varval=ppp0
> > > + eval ''fullinterface="ppp0"''
> > > ++ fullinterface=ppp0
> > > + shift
> > > + ''['' 2 -gt 0 '']''
> > > + eval ''varval=$subnet''
> > > ++ varval=eth0
> > > + eval ''subnet="eth0"''
> > > ++ subnet=eth0
> > > + shift
> > > + ''['' 1 -gt 0 '']''
> > > + eval ''varval=$address''
> > > ++ varval> > > + eval
''address=""''
> > > ++ address> > > + shift
> > > + ''['' 0 -gt 0 '']''
> > > + ''['' -n Yes '']''
> > > + setup_one
> > > + local using
> > > + destnet=0.0.0.0/0
> > > + interface=ppp0
> > > + list_search ppp0 ppp0 eth0
> > > + local e=ppp0
> > > + ''['' 3 -gt 1 '']''
> > > + shift
> > > + ''['' xppp0 = xppp0 '']''
> > > + return 0
> > > + ''['' eth0 = eth0 '']''
> > > + nomasq> > > ++ masq_chain ppp0
> > > +++ chain_base ppp0
> > > +++ local c=ppp0
> > > +++ echo ppp0
> > > ++ echo ppp0_masq
> > > + chain=ppp0_masq
> > > + iface> > > + source=eth0
> > > ++ get_routed_subnets eth0
> > > ++ local address
> > > ++ local rest
> > > ++ ip route show dev eth0
> > > ++ read address rest
> > > ++ echo 255.255.255.255/32
> > > ++ read address rest
> > > ++ echo 192.168.0.0/24
> > > ++ read address rest
> > > + subnets=255.255.255.255/32
> > > 192.168.0.0/24
> > > + ''['' -z ''255.255.255.255/32
> > > 192.168.0.0/24'' '']''
> > > + subnet=255.255.255.255/32
> > > 192.168.0.0/24
> > > + ''['' -n '''' -a -n
'''' '']''
> > > + destination=0.0.0.0/0
> > > + ''['' -n ''''
'']''
> > > + destnet=-d 0.0.0.0/0
> 
=== message truncated ==
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

On Wed, 2003-09-10 at 13:50, Phil Tomson wrote:
> I was starting shorewall _after_ ppp0 was up.  
> 
Just for fun, could you post the output of "lsmod"/

> 
> On Tue, 9 Sep 2003, Jerry Vonau wrote:
> 
> > Phil:
> > 
> > You are starting shorewall before the interface is up...
> > use the /etc/ppp/ip-up.local file to (re)start shorewall
> > 
> > see:
> > http://www.shorewall.net/starting_and_stopping_shorewall.htm
> > Important Notes: 2
> > 
> > Jerry Vonau
> > 
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > From: "Phil Tomson" <ptkwt@aracnet.com>
> > To: <shorewall-users@lists.shorewall.net>
> > Sent: Tuesday, September 09, 2003 07:35 PM
> > Subject: [Shorewall-users] iptables: Invalid argument
> > 
> > 
> > >
> > > Here''s what I''m seeing when I try to start
shorewall:
> > >
> > > [root@jed shorewall]# ../init.d/shorewall restart
> > > Processing /etc/shorewall/params ...
> > > Shorewall Not Currently Running
> > > Starting Shorewall...
> > > Loading Modules...
> > > Initializing...
> > > Determining Zones...
> > >    Zones: net loc
> > > Validating interfaces file...
> > > Validating hosts file...
> > > Validating Policy file...
> > > Determining Hosts in Zones...
> > >    Net Zone: ppp0:0.0.0.0/0
> > >    Local Zone: eth0:0.0.0.0/0
> > > Processing /etc/shorewall/init ...
> > > Deleting user chains...
> > > Creating input Chains...
> > > Configuring Proxy ARP
> > > Setting up NAT...
> > > Adding Common Rules
> > > Adding rules for DHCP
> > > IP Forwarding Enabled
> > > Processing /etc/shorewall/tunnels...
> > > Processing /etc/shorewall/rules...
> > >    Rule "ACCEPT fw net tcp 53" added.
> > >    Rule "ACCEPT fw net udp 53" added.
> > >    Rule "ACCEPT loc net tcp 53" added.
> > >    Rule "ACCEPT loc net udp 53" added.
> > >    Rule "ACCEPT loc fw tcp 22" added.
> > >    Rule "ACCEPT loc net tcp 22" added.
> > >    Rule "ACCEPT loc fw icmp 8" added.
> > >    Rule "ACCEPT net fw icmp 8" added.
> > > Processing /etc/shorewall/policy...
> > >    Policy ACCEPT for fw to net using chain fw2net
> > >    Policy ACCEPT for fw to loc using chain fw2loc
> > >    Policy DROP for net to fw using chain net2all
> > >    Policy ACCEPT for loc to fw using chain loc2all
> > >    Policy ACCEPT for loc to net using chain loc2net
> > > Masqueraded Subnets and Hosts:
> > > iptables: Invalid argument
> > > Processing /etc/shorewall/stop ...
> > > Processing /etc/shorewall/stopped ...
> > > Terminated
> > >
> > >
> > > I noticed from the above that the something was wrong in the masq
file, so
> > > I removed it and then shorewall started OK (but masquerading
doesn''t work
> > > because there''s no masq file).  My masq file only
contains the following:
> > >
> > > #INTERFACE         SUBNET ADDRESS
> > > ppp0                    eth0
> > >
> > >
> > > ...that''s it.  I connect to the internet via ppp0 and
eth0 conntects to
> > > the hub and two other computers.
> > >
> > > shorewall version:
> > > 1.3.14a
> > >
> > > uname -a
> > > Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002
i686
> > >
> > > Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the 2.4.21
kernel which
> > > came with 9.1 caused my system to hang when accessing the CDROM,
so I''m
> > > using the older one - BTW: I was running shorewall on this
machine/kernel
> > > prior to the upgrade to 9.1, the kernel is identical to the one I
used
> > > with 9.0 which was running shorewall OK.)
> > >
> > > ip addr show
> > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> > >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > > 2: e
> > >
> > > th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 100
> > >     link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
> > >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> > > 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514 qdisc
pfifo_fast qlen 3
> > >     link/ppp
> > >     inet 216.99.219.54 peer 208.130.244.122/32 scope global ppp0
> > >
> > >
> > > ip route show
> > > 208.130.244.122 dev ppp0  proto kernel  scope link  src
216.99.219.54
> > > 255.255.255.255 dev eth0  scope link
> > > 192.168.0.0/24 dev eth0  scope link
> > > 127.0.0.0/8 dev lo  scope link
> > > default via 208.130.244.122 dev ppp0
> > >
> > > Here''s the trace from where the masq file is searched
for:
> > >
> > > ++ find_file masq
> > > ++ ''['' -n '''' -a -f /masq
'']''
> > > ++ echo /etc/shorewall/masq
> > > + masq=/etc/shorewall/masq
> > > + ''['' -f /etc/shorewall/masq
'']''
> > > + setup_masq /etc/shorewall/masq
> > > + strip_file masq /etc/shorewall/masq
> > > + local fname
> > > + ''['' 2 = 1 '']''
> > > + fname=/etc/shorewall/masq
> > > + ''['' -f /etc/shorewall/masq
'']''
> > > + cut -d# -f1 /etc/shorewall/masq
> > > + grep -v ''^[[:space:]]*$''
> > > + ''['' -n Yes '']''
> > > + echo ''Masqueraded Subnets and Hosts:''
> > > + read fullinterface subnet address
> > > + expandv fullinterface subnet address
> > > + local varval
> > > + ''['' 3 -gt 0 '']''
> > > + eval ''varval=$fullinterface''
> > > ++ varval=ppp0
> > > + eval ''fullinterface="ppp0"''
> > > ++ fullinterface=ppp0
> > > + shift
> > > + ''['' 2 -gt 0 '']''
> > > + eval ''varval=$subnet''
> > > ++ varval=eth0
> > > + eval ''subnet="eth0"''
> > > ++ subnet=eth0
> > > + shift
> > > + ''['' 1 -gt 0 '']''
> > > + eval ''varval=$address''
> > > ++ varval> > > + eval
''address=""''
> > > ++ address> > > + shift
> > > + ''['' 0 -gt 0 '']''
> > > + ''['' -n Yes '']''
> > > + setup_one
> > > + local using
> > > + destnet=0.0.0.0/0
> > > + interface=ppp0
> > > + list_search ppp0 ppp0 eth0
> > > + local e=ppp0
> > > + ''['' 3 -gt 1 '']''
> > > + shift
> > > + ''['' xppp0 = xppp0 '']''
> > > + return 0
> > > + ''['' eth0 = eth0 '']''
> > > + nomasq> > > ++ masq_chain ppp0
> > > +++ chain_base ppp0
> > > +++ local c=ppp0
> > > +++ echo ppp0
> > > ++ echo ppp0_masq
> > > + chain=ppp0_masq
> > > + iface> > > + source=eth0
> > > ++ get_routed_subnets eth0
> > > ++ local address
> > > ++ local rest
> > > ++ ip route show dev eth0
> > > ++ read address rest
> > > ++ echo 255.255.255.255/32
> > > ++ read address rest
> > > ++ echo 192.168.0.0/24
> > > ++ read address rest
> > > + subnets=255.255.255.255/32
> > > 192.168.0.0/24
> > > + ''['' -z ''255.255.255.255/32
> > > 192.168.0.0/24'' '']''
> > > + subnet=255.255.255.255/32
> > > 192.168.0.0/24
> > > + ''['' -n '''' -a -n
'''' '']''
> > > + destination=0.0.0.0/0
> > > + ''['' -n ''''
'']''
> > > + destnet=-d 0.0.0.0/0
> > > + ''['' -n ''255.255.255.255/32
> > > 192.168.0.0/24'' '']''
> > > + ''['' -n ''''
'']''
> > > + addnatrule ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
MASQUERADE
> > > + ensurenatchain ppp0_masq
> > > + havenatchain ppp0_masq
> > > + eval test ''"$ppp0_masq_nat_exists"''
= Yes
> > > ++ test '''' = Yes
> > > + createnatchain ppp0_masq
> > > + run_iptables -t nat -N ppp0_masq
> > > + iptables -t nat -N ppp0_masq
> > > + eval ppp0_masq_nat_exists=Yes
> > > ++ ppp0_masq_nat_exists=Yes
> > > + run_iptables2 -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > MASQUERADE
> > > + ''['' ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > > MASQUERADE'' = ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > > MASQUERADE'' '']''
> > > + run_iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > MASQUERADE
> > > + iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
-j
> > > MASQUERADE
> > > iptables: Invalid argument
> > > + ''['' -z ''''
'']''
> > > + stop_firewall
> > > + set +x
> > >
> > > This is _not_ the version of shorewall that came with Mandrake (I
heeded
> > > the instructions in the quick start which said to remove
Mandrake''s
> > > shorewall package and install one from the shorewall site).
> > >
> > > Phil
> > >
> > >
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Post: Shorewall-users@lists.shorewall.net
> > > Subscribe/Unsubscribe:
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > Support: http://www.shorewall.net/support.htm
> > > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
http://www.shorewall.net       Shorewall, for all your firewall needs

On 10 Sep 2003, Ed Greshko wrote:
> On Wed, 2003-09-10 at 13:50, Phil Tomson wrote:
> > I was starting shorewall _after_ ppp0 was up.  
> > 
> 
> Just for fun, could you post the output of "lsmod"/
Sure, here it is:

[root@jed shorewall]# lsmod
Module                  Size  Used by    Not tainted
nls_iso8859-1           2844   1  (autoclean)
isofs                  25652   1  (autoclean)
inflate_fs             17892   0  (autoclean) [isofs]
ipt_LOG                 3384   5  (autoclean)
ipt_TOS                  984  12  (autoclean)
ipt_MASQUERADE          1272   0  (autoclean)
ipt_REJECT              2744   4  (autoclean)
ipt_TCPMSS              2360   1  (autoclean)
ipt_state                568  16  (autoclean)
iptable_mangle          2072   1  (autoclean)
ip_nat_irc              2384   0  (unused)
ip_nat_ftp              2992   0  (unused)
iptable_nat            15224   2  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        3056   1
ip_conntrack_ftp        3952   1
ip_conntrack           18400   4  [ipt_MASQUERADE ipt_state ip_nat_irc 
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter          1644   1  (autoclean)
ip_tables              11672  11  [ipt_LOG ipt_TOS ipt_MASQUERADE 
ipt_REJECT ipt_TCPMSS ipt_state iptable_mangle iptable_nat iptable_filter]
ppp_deflate            41024   0  (autoclean)
bsd_comp                4344   0  (autoclean)
lp                      6720   0  (autoclean) (unused)
parport                23936   0  (autoclean) [lp]
nfsd                   66576   8  (autoclean)
lockd                  46480   1  (autoclean) [nfsd]
sunrpc                 60188   1  (autoclean) [nfsd lockd]
ppp_async               7456   1
ppp_generic            20064   3  [ppp_deflate bsd_comp ppp_async]
slhc                    5072   1  [ppp_generic]
af_packet              13000   1  (autoclean)
sr_mod                 15096   2  (autoclean)
floppy                 49340   0
sis900                 13388   1  (autoclean)
supermount             14340   2  (autoclean)
ide-cd                 28712   0
cdrom                  26848   0  [sr_mod ide-cd]
ide-scsi                8212   1
scsi_mod               90372   2  [sr_mod ide-scsi]
rtc                     6560   0  (autoclean)
ext3                   74004   6
jbd                    38452   6  [ext3]

> 
> 
> > 
> > On Tue, 9 Sep 2003, Jerry Vonau wrote:
> > 
> > > Phil:
> > > 
> > > You are starting shorewall before the interface is up...
> > > use the /etc/ppp/ip-up.local file to (re)start shorewall
> > > 
> > > see:
> > > http://www.shorewall.net/starting_and_stopping_shorewall.htm
> > > Important Notes: 2
> > > 
> > > Jerry Vonau
> > > 
> > > 
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > From: "Phil Tomson" <ptkwt@aracnet.com>
> > > To: <shorewall-users@lists.shorewall.net>
> > > Sent: Tuesday, September 09, 2003 07:35 PM
> > > Subject: [Shorewall-users] iptables: Invalid argument
> > > 
> > > 
> > > >
> > > > Here''s what I''m seeing when I try to start
shorewall:
> > > >
> > > > [root@jed shorewall]# ../init.d/shorewall restart
> > > > Processing /etc/shorewall/params ...
> > > > Shorewall Not Currently Running
> > > > Starting Shorewall...
> > > > Loading Modules...
> > > > Initializing...
> > > > Determining Zones...
> > > >    Zones: net loc
> > > > Validating interfaces file...
> > > > Validating hosts file...
> > > > Validating Policy file...
> > > > Determining Hosts in Zones...
> > > >    Net Zone: ppp0:0.0.0.0/0
> > > >    Local Zone: eth0:0.0.0.0/0
> > > > Processing /etc/shorewall/init ...
> > > > Deleting user chains...
> > > > Creating input Chains...
> > > > Configuring Proxy ARP
> > > > Setting up NAT...
> > > > Adding Common Rules
> > > > Adding rules for DHCP
> > > > IP Forwarding Enabled
> > > > Processing /etc/shorewall/tunnels...
> > > > Processing /etc/shorewall/rules...
> > > >    Rule "ACCEPT fw net tcp 53" added.
> > > >    Rule "ACCEPT fw net udp 53" added.
> > > >    Rule "ACCEPT loc net tcp 53" added.
> > > >    Rule "ACCEPT loc net udp 53" added.
> > > >    Rule "ACCEPT loc fw tcp 22" added.
> > > >    Rule "ACCEPT loc net tcp 22" added.
> > > >    Rule "ACCEPT loc fw icmp 8" added.
> > > >    Rule "ACCEPT net fw icmp 8" added.
> > > > Processing /etc/shorewall/policy...
> > > >    Policy ACCEPT for fw to net using chain fw2net
> > > >    Policy ACCEPT for fw to loc using chain fw2loc
> > > >    Policy DROP for net to fw using chain net2all
> > > >    Policy ACCEPT for loc to fw using chain loc2all
> > > >    Policy ACCEPT for loc to net using chain loc2net
> > > > Masqueraded Subnets and Hosts:
> > > > iptables: Invalid argument
> > > > Processing /etc/shorewall/stop ...
> > > > Processing /etc/shorewall/stopped ...
> > > > Terminated
> > > >
> > > >
> > > > I noticed from the above that the something was wrong in the
masq file, so
> > > > I removed it and then shorewall started OK (but masquerading
doesn''t work
> > > > because there''s no masq file).  My masq file only
contains the following:
> > > >
> > > > #INTERFACE         SUBNET ADDRESS
> > > > ppp0                    eth0
> > > >
> > > >
> > > > ...that''s it.  I connect to the internet via ppp0
and eth0 conntects to
> > > > the hub and two other computers.
> > > >
> > > > shorewall version:
> > > > 1.3.14a
> > > >
> > > > uname -a
> > > > Linux jed.home.com 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST
2002 i686
> > > >
> > > > Mandrake 9.1 (with the older 2.4.19-16mdk kernel - the
2.4.21 kernel which
> > > > came with 9.1 caused my system to hang when accessing the
CDROM, so I''m
> > > > using the older one - BTW: I was running shorewall on this
machine/kernel
> > > > prior to the upgrade to 9.1, the kernel is identical to the
one I used
> > > > with 9.0 which was running shorewall OK.)
> > > >
> > > > ip addr show
> > > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> > > >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > > > 2: e
> > > >
> > > > th0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
> > > >     link/ether 00:d0:09:c4:3d:53 brd ff:ff:ff:ff:ff:ff
> > > >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> > > > 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1514
qdisc pfifo_fast qlen 3
> > > >     link/ppp
> > > >     inet 216.99.219.54 peer 208.130.244.122/32 scope global
ppp0
> > > >
> > > >
> > > > ip route show
> > > > 208.130.244.122 dev ppp0  proto kernel  scope link  src
216.99.219.54
> > > > 255.255.255.255 dev eth0  scope link
> > > > 192.168.0.0/24 dev eth0  scope link
> > > > 127.0.0.0/8 dev lo  scope link
> > > > default via 208.130.244.122 dev ppp0
> > > >
> > > > Here''s the trace from where the masq file is
searched for:
> > > >
> > > > ++ find_file masq
> > > > ++ ''['' -n '''' -a -f /masq
'']''
> > > > ++ echo /etc/shorewall/masq
> > > > + masq=/etc/shorewall/masq
> > > > + ''['' -f /etc/shorewall/masq
'']''
> > > > + setup_masq /etc/shorewall/masq
> > > > + strip_file masq /etc/shorewall/masq
> > > > + local fname
> > > > + ''['' 2 = 1 '']''
> > > > + fname=/etc/shorewall/masq
> > > > + ''['' -f /etc/shorewall/masq
'']''
> > > > + cut -d# -f1 /etc/shorewall/masq
> > > > + grep -v ''^[[:space:]]*$''
> > > > + ''['' -n Yes '']''
> > > > + echo ''Masqueraded Subnets and Hosts:''
> > > > + read fullinterface subnet address
> > > > + expandv fullinterface subnet address
> > > > + local varval
> > > > + ''['' 3 -gt 0 '']''
> > > > + eval ''varval=$fullinterface''
> > > > ++ varval=ppp0
> > > > + eval ''fullinterface="ppp0"''
> > > > ++ fullinterface=ppp0
> > > > + shift
> > > > + ''['' 2 -gt 0 '']''
> > > > + eval ''varval=$subnet''
> > > > ++ varval=eth0
> > > > + eval ''subnet="eth0"''
> > > > ++ subnet=eth0
> > > > + shift
> > > > + ''['' 1 -gt 0 '']''
> > > > + eval ''varval=$address''
> > > > ++ varval> > > > + eval
''address=""''
> > > > ++ address> > > > + shift
> > > > + ''['' 0 -gt 0 '']''
> > > > + ''['' -n Yes '']''
> > > > + setup_one
> > > > + local using
> > > > + destnet=0.0.0.0/0
> > > > + interface=ppp0
> > > > + list_search ppp0 ppp0 eth0
> > > > + local e=ppp0
> > > > + ''['' 3 -gt 1 '']''
> > > > + shift
> > > > + ''['' xppp0 = xppp0 '']''
> > > > + return 0
> > > > + ''['' eth0 = eth0 '']''
> > > > + nomasq> > > > ++ masq_chain ppp0
> > > > +++ chain_base ppp0
> > > > +++ local c=ppp0
> > > > +++ echo ppp0
> > > > ++ echo ppp0_masq
> > > > + chain=ppp0_masq
> > > > + iface> > > > + source=eth0
> > > > ++ get_routed_subnets eth0
> > > > ++ local address
> > > > ++ local rest
> > > > ++ ip route show dev eth0
> > > > ++ read address rest
> > > > ++ echo 255.255.255.255/32
> > > > ++ read address rest
> > > > ++ echo 192.168.0.0/24
> > > > ++ read address rest
> > > > + subnets=255.255.255.255/32
> > > > 192.168.0.0/24
> > > > + ''['' -z ''255.255.255.255/32
> > > > 192.168.0.0/24'' '']''
> > > > + subnet=255.255.255.255/32
> > > > 192.168.0.0/24
> > > > + ''['' -n '''' -a -n
'''' '']''
> > > > + destination=0.0.0.0/0
> > > > + ''['' -n ''''
'']''
> > > > + destnet=-d 0.0.0.0/0
> > > > + ''['' -n ''255.255.255.255/32
> > > > 192.168.0.0/24'' '']''
> > > > + ''['' -n ''''
'']''
> > > > + addnatrule ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
MASQUERADE
> > > > + ensurenatchain ppp0_masq
> > > > + havenatchain ppp0_masq
> > > > + eval test
''"$ppp0_masq_nat_exists"'' = Yes
> > > > ++ test '''' = Yes
> > > > + createnatchain ppp0_masq
> > > > + run_iptables -t nat -N ppp0_masq
> > > > + iptables -t nat -N ppp0_masq
> > > > + eval ppp0_masq_nat_exists=Yes
> > > > ++ ppp0_masq_nat_exists=Yes
> > > > + run_iptables2 -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > > MASQUERADE
> > > > + ''['' ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > > > MASQUERADE'' = ''x-t nat -A ppp0_masq -s
255.255.255.255/32 -d 0.0.0.0/0 -j
> > > > MASQUERADE'' '']''
> > > > + run_iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > > MASQUERADE
> > > > + iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > > MASQUERADE
> > > > iptables: Invalid argument
> > > > + ''['' -z ''''
'']''
> > > > + stop_firewall
> > > > + set +x
> > > >
> > > > This is _not_ the version of shorewall that came with
Mandrake (I heeded
> > > > the instructions in the quick start which said to remove
Mandrake''s
> > > > shorewall package and install one from the shorewall site).
> > > >
> > > > Phil
> > > >
> > > >
> > > > _______________________________________________
> > > > Shorewall-users mailing list
> > > > Post: Shorewall-users@lists.shorewall.net
> > > > Subscribe/Unsubscribe:
> > > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > > Support: http://www.shorewall.net/support.htm
> > > > FAQ: http://www.shorewall.net/FAQ.htm
> > > 
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Post: Shorewall-users@lists.shorewall.net
> > > Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > Support: http://www.shorewall.net/support.htm
> > > FAQ: http://www.shorewall.net/FAQ.htm
> > > 
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> -- 
> http://www.shorewall.net       Shorewall, for all your firewall needs
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Wed, 10 Sep 2003, Joshua Banks wrote:
> Hard to say without any experience picking apart iptables data.
I''m surprised no one has answered
> this yet. Phil it looks as though you''ve given all the correct
info. If this isn''t working then I
> would uninstall this and reinstall. You have a setup similar to mine.
Really doesn''t get any
> easier than the way you have this setup. So a simple unistall reinstall is
a very simple work
> around for now. Thats if you need this working ASP.
> 
> Wish I could''ve been more helpful. The only thing that I was
thinking is that there was possibly
> some whitespace detected when you edited a file...Thats just a guess..
> 
> JBanks

I just tried the uninstall-reinstall idea.  Problem still exists.

The offending iptables command is this (from the trace):
iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
MASQUERADE


The part that is the invalid argument is the ''-j MASQUERADE''. 
If I issue
the command:

iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0

without the -j option there''s no complaint, so that''s how
I''m coming to
that conclusion...

Phil

Hmmm, I''m totally curious now.. :p

-j, --jump target
This  specifies  the  target  of  the  rule; i.e., what to do if the packet
matches it.  The
target can be a user-defined chain(other than the one this rule is in), one of
the special builtin
targets which decide the fate of the packet immediately, or an extension  (see 
EXTENSIONS
below). If this  option is omitted in a rule, then matching the rule will have
no effect on the
packet''s fate, but the counters on the rule will be incremented.

The above doesn''t really do anything for me. Again I don''t
know iptables this is why I have
Shorewall.. :) It does everything for me.. Heeee. He....


What version of iptables are you using: "iptables --version" from the
command line?

What was the specific command that you gave initially to get your trace info for
ppp. I will do
the same on my end and compare?

Thanks,
JBanks
--- Phil Tomson <ptkwt@aracnet.com> wrote:
> 
> 
> On Wed, 10 Sep 2003, Joshua Banks wrote:
> 
> > Hard to say without any experience picking apart iptables data.
I''m surprised no one has
> answered
> > this yet. Phil it looks as though you''ve given all the
correct info. If this isn''t working
> then I
> > would uninstall this and reinstall. You have a setup similar to mine.
Really doesn''t get any
> > easier than the way you have this setup. So a simple unistall
reinstall is a very simple work
> > around for now. Thats if you need this working ASP.
> > 
> > Wish I could''ve been more helpful. The only thing that I was
thinking is that there was
> possibly
> > some whitespace detected when you edited a file...Thats just a guess..
> > 
> > JBanks
> 
> 
> I just tried the uninstall-reinstall idea.  Problem still exists.
> 
> The offending iptables command is this (from the trace):
> iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
> MASQUERADE
> 
> 
> The part that is the invalid argument is the ''-j
MASQUERADE''.  If I issue
> the command:
> 
> iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
> 
> without the -j option there''s no complaint, so that''s how
I''m coming to
> that conclusion...
> 
> Phil
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

On Wed, 10 Sep 2003, Joshua Banks wrote:
> Hmmm, I''m totally curious now.. :p
> 
> -j, --jump target
> This  specifies  the  target  of  the  rule; i.e., what to do if the packet
matches it.  The
> target can be a user-defined chain(other than the one this rule is in), one
of the special builtin
> targets which decide the fate of the packet immediately, or an extension 
(see  EXTENSIONS
> below). If this  option is omitted in a rule, then matching the rule will
have no effect on the
> packet''s fate, but the counters on the rule will be incremented.
> 
> The above doesn''t really do anything for me. Again I
don''t know iptables this is why I have
> Shorewall.. :) It does everything for me.. Heeee. He....
> 
> 
> What version of iptables are you using: "iptables --version" from
the command line?
iptables v1.2.7a
> 
> What was the specific command that you gave initially to get your trace
info for ppp. I will do
> the same on my end and compare?
You mean this?:

shorewall debug start 2> /tmp/trace


Phil

Hmmmmm....not sure what to do here. Sorry. Here''s a copy of my trace
zipped up.


If your unsure on how to unzip just "unzip trace.zip" and you should
get trace.txt..

Sorry, I wish I could''ve of been more help.
Thanks,
JBanks
--- Phil Tomson <ptkwt@aracnet.com> wrote:
> 
> 
> On Wed, 10 Sep 2003, Joshua Banks wrote:
> 
> > Hmmm, I''m totally curious now.. :p
> > 
> > -j, --jump target
> > This  specifies  the  target  of  the  rule; i.e., what to do if the
packet matches it.  The
> > target can be a user-defined chain(other than the one this rule is
in), one of the special
> builtin
> > targets which decide the fate of the packet immediately, or an
extension  (see  EXTENSIONS
> > below). If this  option is omitted in a rule, then matching the rule
will have no effect on
> the
> > packet''s fate, but the counters on the rule will be
incremented.
> > 
> > The above doesn''t really do anything for me. Again I
don''t know iptables this is why I have
> > Shorewall.. :) It does everything for me.. Heeee. He....
> > 
> > 
> > What version of iptables are you using: "iptables --version"
from the command line?
> 
> iptables v1.2.7a
> 
> > 
> > What was the specific command that you gave initially to get your
trace info for ppp. I will
> do
> > the same on my end and compare?
> 
> You mean this?:
> 
> shorewall debug start 2> /tmp/trace
> 
> 
> Phil
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace.zip
Type: application/x-zip
Size: 28403 bytes
Desc: trace.zip
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030910/d0fa9ed2/trace-0001.bin

On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
>  just tried the uninstall-reinstall idea.  Problem still exists.
> 
> The offending iptables command is this (from the trace):
> iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
> MASQUERADE
The command you cite above looks rather odd to me....

On my system I see the following...

iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQUERADE

where 192.168.1.0/24 is the network address of eth1...

Ed

On Wed, 2003-09-10 at 16:41, Phil Tomson wrote:
> 
> shorewall debug start 2> /tmp/trace
I get a different error than you do if I transform my masq file from unix to
dos format.  But, it leads me to ask the question how did you edit your
masq file or install shorewall.  

Maybe try running "dos2unix masq" and then try starting shorewall?

Ed

Phil:

Two things come to mind
First, 1.3.14a is a bit old.... I''d move to 1.4.x to stay current...
Second, since you did a reinstall with the same effect,
can you post the config files that were edited?

This is strange:
>> + interface=ppp0
>> + list_search ppp0 ppp0 eth0
>> + local e=ppp0
Is ppp0 listed twice in the interfaces file??
I can''t tell with seeing some files...

Jerry Vonau

----- Original Message -----
From: "Phil Tomson" <ptkwt@aracnet.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, September 10, 2003 03:11 AM
Subject: Re: [Shorewall-users] iptables: Invalid argument

>
>
> On Wed, 10 Sep 2003, Joshua Banks wrote:
>
> > Hard to say without any experience picking apart iptables data.
I''m
surprised no one has answered
> > this yet. Phil it looks as though you''ve given all the
correct info. If
this isn''t working then I
> > would uninstall this and reinstall. You have a setup similar to mine.
Really doesn''t get any
> > easier than the way you have this setup. So a simple unistall
reinstall
is a very simple work
> > around for now. Thats if you need this working ASP.
> >
> > Wish I could''ve been more helpful. The only thing that I was
thinking is
that there was possibly
> > some whitespace detected when you edited a file...Thats just a guess..
> >
> > JBanks
>
>
> I just tried the uninstall-reinstall idea.  Problem still exists.
>
> The offending iptables command is this (from the trace):
> iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> MASQUERADE
>
>
> The part that is the invalid argument is the ''-j
MASQUERADE''.  If I issue
> the command:
>
> iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
>
> without the -j option there''s no complaint, so that''s how
I''m coming to
> that conclusion...
>
> Phil
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Wed, 10 Sep 2003, Jerry Vonau wrote:
> Phil:
> 
> Two things come to mind
> First, 1.3.14a is a bit old.... I''d move to 1.4.x to stay
current...
> Second, since you did a reinstall with the same effect,
> can you post the config files that were edited?
> 
> This is strange:
> >> + interface=ppp0
> >> + list_search ppp0 ppp0 eth0
> >> + local e=ppp0
> 
> Is ppp0 listed twice in the interfaces file??
> I can''t tell with seeing some files...
> 
> Jerry Vonau

OK.  Here''s the interfaces file:


#ZONE	INTERFACE	BROADCAST	OPTIONS
net	ppp0            detect          dhcp,routefilter
loc	eth0            detect


Here''s the masq file:

#INTERFACE	        SUBNET		ADDRESS
ppp0			eth0


Here''s the rules file :

# Accept DNS connections from the firewall to the network
#
ACCEPT		fw	  net		tcp	53
ACCEPT		fw	  net		udp	53
#
# Accept SSH connections from the local network for administration
#
ACCEPT		loc	  fw		tcp	22
#
# Accept Ping Ubiquitously
#
ACCEPT		loc	fw		icmp	8
ACCEPT		net	fw		icmp	8

Here''s the policy file:

#SOURCE		DEST		POLICY		LOG LEVEL	
LIMIT:BURST
loc		net		ACCEPT
#
# If you want open access to the internet from your firewall, uncomment 
the
# following line
#fw		net		ACCEPT
net		all		DROP		info
all		all		REJECT		info


I''m not sure which part you''re quoting that shows ppp0
twice...

Phil





> 
> ----- Original Message -----
> From: "Phil Tomson" <ptkwt@aracnet.com>
> To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Wednesday, September 10, 2003 03:11 AM
> Subject: Re: [Shorewall-users] iptables: Invalid argument
> 
> 
> >
> >
> > On Wed, 10 Sep 2003, Joshua Banks wrote:
> >
> > > Hard to say without any experience picking apart iptables data.
I''m
> surprised no one has answered
> > > this yet. Phil it looks as though you''ve given all the
correct info. If
> this isn''t working then I
> > > would uninstall this and reinstall. You have a setup similar to
mine.
> Really doesn''t get any
> > > easier than the way you have this setup. So a simple unistall
reinstall
> is a very simple work
> > > around for now. Thats if you need this working ASP.
> > >
> > > Wish I could''ve been more helpful. The only thing that I
was thinking is
> that there was possibly
> > > some whitespace detected when you edited a file...Thats just a
guess..
> > >
> > > JBanks
> >
> >
> > I just tried the uninstall-reinstall idea.  Problem still exists.
> >
> > The offending iptables command is this (from the trace):
> > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
> > MASQUERADE
> >
> >
> > The part that is the invalid argument is the ''-j
MASQUERADE''.  If I issue
> > the command:
> >
> > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
> >
> > without the -j option there''s no complaint, so
that''s how I''m coming to
> > that conclusion...
> >
> > Phil
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On 10 Sep 2003, Ed Greshko wrote:
> On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> >  just tried the uninstall-reinstall idea.  Problem still exists.
> > 
> > The offending iptables command is this (from the trace):
> > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
> > MASQUERADE
> 
> The command you cite above looks rather odd to me....
> 
> On my system I see the following...
> 
> iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQUERADE
> 
> where 192.168.1.0/24 is the network address of eth1...
> 
Hmmmm.... I thought the  255.255.255.255 was a bit odd.  

Any idea how that number is determined?

Phil

Have you tried Shorewall clear and iptables -F <chain> just to make sure
there are no rules that may be affecting it?




Message: 1
Date: Wed, 10 Sep 2003 01:11:25 -0700 (PDT)
From: Phil Tomson <ptkwt@aracnet.com>
Subject: Re: [Shorewall-users] iptables: Invalid argument
To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
Message-ID:
	<Pine.LNX.4.44.0309100107520.28842-100000@onyx.spiritone.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII



On Wed, 10 Sep 2003, Joshua Banks wrote:
> Hard to say without any experience picking apart iptables data.
I''m
surprised no one has answered
> this yet. Phil it looks as though you''ve given all the correct
info. If
this isn''t working then I
> would uninstall this and reinstall. You have a setup similar to mine.
Really doesn''t get any
> easier than the way you have this setup. So a simple unistall reinstall is
a very simple work
> around for now. Thats if you need this working ASP.
>
> Wish I could''ve been more helpful. The only thing that I was
thinking is
that there was possibly
> some whitespace detected when you edited a file...Thats just a guess..
>
> JBanks

I just tried the uninstall-reinstall idea.  Problem still exists.

The offending iptables command is this (from the trace):
iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j
MASQUERADE


The part that is the invalid argument is the ''-j MASQUERADE''. 
If I issue
the command:

iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0

without the -j option there''s no complaint, so that''s how
I''m coming to
that conclusion...

Phil


------------------------------

me thinks it depends on the type of service you get.  I use a ADSL 
connection via ppp0 and in my shorewall interfaces file I read:

net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags

I use ''-'' instead of ''detect'' in the
broadcast column following the
guidelines of the interface files (and the 3rd example in the same file). 
works here...

HIH,

Eduardo Ferreira





Phil Tomson <ptkwt@aracnet.com> 
Sent by: shorewall-users-bounces@lists.shorewall.net
10/09/2003 14:40
Please respond to
Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>


To
Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
cc

Subject
Re: [Shorewall-users] iptables: Invalid argument








On 10 Sep 2003, Ed Greshko wrote:
> On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> >  just tried the uninstall-reinstall idea.  Problem still exists.
> > 
> > The offending iptables command is this (from the trace):
> > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j 
> > MASQUERADE
> 
> The command you cite above looks rather odd to me....
> 
> On my system I see the following...
> 
> iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
MASQUERADE
> 
> where 192.168.1.0/24 is the network address of eth1...
> 
Hmmmm.... I thought the  255.255.255.255 was a bit odd. 

Any idea how that number is determined?

Phil

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe: 
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Just tried replacing the ''detect'' with ''-''
for the net ppp0 entry of my
interfaces file and it doidin''t help... the problem persists.


Phil
On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> me thinks it depends on the type of service you get.  I use a ADSL 
> connection via ppp0 and in my shorewall interfaces file I read:
> 
> net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags
> 
> I use ''-'' instead of ''detect'' in the
broadcast column following the
> guidelines of the interface files (and the 3rd example in the same file). 
> works here...
> 
> HIH,
> 
> Eduardo Ferreira
> 
> 
> 
> 
> 
> Phil Tomson <ptkwt@aracnet.com> 
> Sent by: shorewall-users-bounces@lists.shorewall.net
> 10/09/2003 14:40
> Please respond to
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> 
> 
> To
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> cc
> 
> Subject
> Re: [Shorewall-users] iptables: Invalid argument
> 
> 
> 
> 
> 
> 
> 
> 
> On 10 Sep 2003, Ed Greshko wrote:
> 
> > On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> > >  just tried the uninstall-reinstall idea.  Problem still exists.
> > > 
> > > The offending iptables command is this (from the trace):
> > > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
-j
> > > MASQUERADE
> > 
> > The command you cite above looks rather odd to me....
> > 
> > On my system I see the following...
> > 
> > iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
> MASQUERADE
> > 
> > where 192.168.1.0/24 is the network address of eth1...
> > 
> 
> Hmmmm.... I thought the  255.255.255.255 was a bit odd. 
> 
> Any idea how that number is determined?
> 
> Phil
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

man, I''m out of ideas.  had you already tried the last version 1.4.6c?
or
any other than that you are using?





Phil Tomson <ptkwt@aracnet.com> 
Sent by: shorewall-users-bounces@lists.shorewall.net
10/09/2003 15:56
Please respond to
Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>


To
Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
cc

Subject
Re: [Shorewall-users] iptables: Invalid argument








Just tried replacing the ''detect'' with ''-''
for the net ppp0 entry of my
interfaces file and it doidin''t help... the problem persists.


Phil
On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> me thinks it depends on the type of service you get.  I use a ADSL 
> connection via ppp0 and in my shorewall interfaces file I read:
> 
> net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags
> 
> I use ''-'' instead of ''detect'' in the
broadcast column following the
> guidelines of the interface files (and the 3rd example in the same 
file). 
> works here...
> 
> HIH,
> 
> Eduardo Ferreira
> 
> 
> 
> 
> 
> Phil Tomson <ptkwt@aracnet.com> 
> Sent by: shorewall-users-bounces@lists.shorewall.net
> 10/09/2003 14:40
> Please respond to
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> 
> 
> To
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> cc
> 
> Subject
> Re: [Shorewall-users] iptables: Invalid argument
> 
> 
> 
> 
> 
> 
> 
> 
> On 10 Sep 2003, Ed Greshko wrote:
> 
> > On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> > >  just tried the uninstall-reinstall idea.  Problem still exists.
> > > 
> > > The offending iptables command is this (from the trace):
> > > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d 0.0.0.0/0
-j
> > > MASQUERADE
> > 
> > The command you cite above looks rather odd to me....
> > 
> > On my system I see the following...
> > 
> > iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
> MASQUERADE
> > 
> > where 192.168.1.0/24 is the network address of eth1...
> > 
> 
> Hmmmm.... I thought the  255.255.255.255 was a bit odd. 
> 
> Any idea how that number is determined?
> 
> Phil
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe: 
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

I haven''t tried that yet.  I think there was a dependencey issue with 
installing that rpm....

I''m actually starting to play directly with iptables now to see if I
can
get it going that way...

Phil

On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> man, I''m out of ideas.  had you already tried the last version
1.4.6c? or
> any other than that you are using?
> 
> 
> 
> 
> 
> Phil Tomson <ptkwt@aracnet.com> 
> Sent by: shorewall-users-bounces@lists.shorewall.net
> 10/09/2003 15:56
> Please respond to
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> 
> 
> To
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> cc
> 
> Subject
> Re: [Shorewall-users] iptables: Invalid argument
> 
> 
> 
> 
> 
> 
> 
> 
> Just tried replacing the ''detect'' with
''-'' for the net ppp0 entry of my
> interfaces file and it doidin''t help... the problem persists.
> 
> 
> Phil
> On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> 
> > me thinks it depends on the type of service you get.  I use a ADSL 
> > connection via ppp0 and in my shorewall interfaces file I read:
> > 
> > net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags
> > 
> > I use ''-'' instead of ''detect'' in
the broadcast column following the
> > guidelines of the interface files (and the 3rd example in the same 
> file). 
> > works here...
> > 
> > HIH,
> > 
> > Eduardo Ferreira
> > 
> > 
> > 
> > 
> > 
> > Phil Tomson <ptkwt@aracnet.com> 
> > Sent by: shorewall-users-bounces@lists.shorewall.net
> > 10/09/2003 14:40
> > Please respond to
> > Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> > 
> > 
> > To
> > Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> > cc
> > 
> > Subject
> > Re: [Shorewall-users] iptables: Invalid argument
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On 10 Sep 2003, Ed Greshko wrote:
> > 
> > > On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> > > >  just tried the uninstall-reinstall idea.  Problem still
exists.
> > > > 
> > > > The offending iptables command is this (from the trace):
> > > > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > > MASQUERADE
> > > 
> > > The command you cite above looks rather odd to me....
> > > 
> > > On my system I see the following...
> > > 
> > > iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
> > MASQUERADE
> > > 
> > > where 192.168.1.0/24 is the network address of eth1...
> > > 
> > 
> > Hmmmm.... I thought the  255.255.255.255 was a bit odd. 
> > 
> > Any idea how that number is determined?
> > 
> > Phil
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe: 
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

OK, I went to try it all manually with iptables and got hte same thing, so 
then I decided to reboot into the 2.4.21mdk kernel that came 
with Mandrake 9.1 (carefully avoiding accessing the CDROM since that kernal 
hangs when I access the CDROM.).  After doing that the Invalid argument 
message went away when starting shorewall.  I suspect that the iptables 
must match the kernel or perhaps the modules being loaded were wrong...

So now I''ve got a different problem - gotta figure out whey the CDROM 
access hangs the system.. but that''s a problem for a different  mailing
list ;-)  Thanks for  the help.

Phil

On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> man, I''m out of ideas.  had you already tried the last version
1.4.6c? or
> any other than that you are using?
> 
> 
> 
> 
> 
> Phil Tomson <ptkwt@aracnet.com> 
> Sent by: shorewall-users-bounces@lists.shorewall.net
> 10/09/2003 15:56
> Please respond to
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> 
> 
> To
> Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
> cc
> 
> Subject
> Re: [Shorewall-users] iptables: Invalid argument
> 
> 
> 
> 
> 
> 
> 
> 
> Just tried replacing the ''detect'' with
''-'' for the net ppp0 entry of my
> interfaces file and it doidin''t help... the problem persists.
> 
> 
> Phil
> On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
> 
> > me thinks it depends on the type of service you get.  I use a ADSL 
> > connection via ppp0 and in my shorewall interfaces file I read:
> > 
> > net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags
> > 
> > I use ''-'' instead of ''detect'' in
the broadcast column following the
> > guidelines of the interface files (and the 3rd example in the same 
> file). 
> > works here...
> > 
> > HIH,
> > 
> > Eduardo Ferreira
> > 
> > 
> > 
> > 
> > 
> > Phil Tomson <ptkwt@aracnet.com> 
> > Sent by: shorewall-users-bounces@lists.shorewall.net
> > 10/09/2003 14:40
> > Please respond to
> > Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> > 
> > 
> > To
> > Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> > cc
> > 
> > Subject
> > Re: [Shorewall-users] iptables: Invalid argument
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On 10 Sep 2003, Ed Greshko wrote:
> > 
> > > On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
> > > >  just tried the uninstall-reinstall idea.  Problem still
exists.
> > > > 
> > > > The offending iptables command is this (from the trace):
> > > > iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
> > > > MASQUERADE
> > > 
> > > The command you cite above looks rather odd to me....
> > > 
> > > On my system I see the following...
> > > 
> > > iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
> > MASQUERADE
> > > 
> > > where 192.168.1.0/24 is the network address of eth1...
> > > 
> > 
> > Hmmmm.... I thought the  255.255.255.255 was a bit odd. 
> > 
> > Any idea how that number is determined?
> > 
> > Phil
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe: 
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Phil Tomson wrote:
>OK, I went to try it all manually with iptables and got hte same thing, so 
>then I decided to reboot into the 2.4.21mdk kernel that came 
>with Mandrake 9.1 (carefully avoiding accessing the CDROM since that kernal 
>hangs when I access the CDROM.).  After doing that the Invalid argument 
>message went away when starting shorewall.  I suspect that the iptables 
>must match the kernel or perhaps the modules being loaded were wrong...
>
>So now I''ve got a different problem - gotta figure out whey the
CDROM
>access hangs the system.. but that''s a problem for a different 
mailing
>list ;-)  Thanks for  the help.
>
>Phil
>
>On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
>
>  
>
>>man, I''m out of ideas.  had you already tried the last version
1.4.6c? or
>>any other than that you are using?
>>
>>
>>
>>
>>
>>Phil Tomson <ptkwt@aracnet.com> 
>>Sent by: shorewall-users-bounces@lists.shorewall.net
>>10/09/2003 15:56
>>Please respond to
>>Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
>>
>>
>>To
>>Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
>>cc
>>
>>Subject
>>Re: [Shorewall-users] iptables: Invalid argument
>>
>>
>>
>>
>>
>>
>>
>>
>>Just tried replacing the ''detect'' with
''-'' for the net ppp0 entry of my
>>interfaces file and it doidin''t help... the problem persists.
>>
>>
>>Phil
>>On Wed, 10 Sep 2003, Eduardo Ferreira wrote:
>>
>>    
>>
>>>me thinks it depends on the type of service you get.  I use a ADSL 
>>>connection via ppp0 and in my shorewall interfaces file I read:
>>>
>>>net     ppp0    -       norfc1918,dhcp,routefilter,tcpflags
>>>
>>>I use ''-'' instead of ''detect'' in
the broadcast column following the
>>>guidelines of the interface files (and the 3rd example in the same 
>>>      
>>>
>>file). 
>>    
>>
>>>works here...
>>>
>>>HIH,
>>>
>>>Eduardo Ferreira
>>>
>>>
>>>
>>>
>>>
>>>Phil Tomson <ptkwt@aracnet.com> 
>>>Sent by: shorewall-users-bounces@lists.shorewall.net
>>>10/09/2003 14:40
>>>Please respond to
>>>Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
>>>
>>>
>>>To
>>>Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
>>>cc
>>>
>>>Subject
>>>Re: [Shorewall-users] iptables: Invalid argument
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>On 10 Sep 2003, Ed Greshko wrote:
>>>
>>>      
>>>
>>>>On Wed, 2003-09-10 at 16:11, Phil Tomson wrote:
>>>>        
>>>>
>>>>> just tried the uninstall-reinstall idea.  Problem still
exists.
>>>>>
>>>>>The offending iptables command is this (from the trace):
>>>>>iptables -t nat -A ppp0_masq -s 255.255.255.255/32 -d
0.0.0.0/0 -j
>>>>>MASQUERADE
>>>>>          
>>>>>
>>>>The command you cite above looks rather odd to me....
>>>>
>>>>On my system I see the following...
>>>>
>>>>iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j 
>>>>        
>>>>
>>>MASQUERADE
>>>      
>>>
>>>>where 192.168.1.0/24 is the network address of eth1...
>>>>
>>>>        
>>>>
>>>Hmmmm.... I thought the  255.255.255.255 was a bit odd. 
>>>
>>>Any idea how that number is determined?
>>>
>>>Phil
>>>
>>>_______________________________________________
>>>Shorewall-users mailing list
>>>Post: Shorewall-users@lists.shorewall.net
>>>Subscribe/Unsubscribe: 
>>>http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>>Support: http://www.shorewall.net/support.htm
>>>FAQ: http://www.shorewall.net/FAQ.htm
>>>
>>>_______________________________________________
>>>Shorewall-users mailing list
>>>Post: Shorewall-users@lists.shorewall.net
>>>Subscribe/Unsubscribe: 
>>>      
>>>
>>http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>    
>>
>>>Support: http://www.shorewall.net/support.htm
>>>FAQ: http://www.shorewall.net/FAQ.htm
>>>
>>>      
>>>
>>_______________________________________________
>>Shorewall-users mailing list
>>Post: Shorewall-users@lists.shorewall.net
>>Subscribe/Unsubscribe: 
>>http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>Support: http://www.shorewall.net/support.htm
>>FAQ: http://www.shorewall.net/FAQ.htm
>>
>>_______________________________________________
>>Shorewall-users mailing list
>>Post: Shorewall-users@lists.shorewall.net
>>Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>Support: http://www.shorewall.net/support.htm
>>FAQ: http://www.shorewall.net/FAQ.htm
>>
>>    
>>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>  
>
I could have saved you a few hours of debugging had I checked the list 
earlier ;).  I had this problem a week or so ago when I setup a Gentoo 
system with Shorewall.  When I installed iptables, it compiled against 
the Gentoo kernel headers which had some additional patches to netfilter 
etc.  I wound up running with a hand made kernel to meet my requirements 
and I had a lot of hair pulling with that.  After I rebuild iptables 
against my kernel headers, everything was fine.

--- David T Hollis <dhollis@davehollis.com> wrote:
> I could have saved you a few hours of debugging had I checked the list 
> earlier ;).  I had this problem a week or so ago when I setup a Gentoo 
> system with Shorewall.  
When I installed iptables, it compiled against 
> the Gentoo kernel headers which had some additional patches to netfilter 
> etc.  I wound up running with a hand made kernel to meet my requirements 
> and I had a lot of hair pulling with that.  After I rebuild iptables 
> against my kernel headers, everything was fine.
I have no idea what this means. Are you saying that you had to modify the
kernel/netfilter
settings and then recompile the kernel? I''ve never heard anyone use the
terms that your using.
Sorry. :)

If so what kernel are you running and what version of Shorewall are you running.
I''m trying to
compare my settings to someone else.
Right now I''m running Kernel-2.4.20-gentoo-r6 and Shorewall 1.4.6c...

Thanks,
JBanks


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Joshua Banks wrote:
>--- David T Hollis <dhollis@davehollis.com> wrote:
>
>  
>
>>I could have saved you a few hours of debugging had I checked the list 
>>earlier ;).  I had this problem a week or so ago when I setup a Gentoo 
>>system with Shorewall.  
>>    
>>
>
>When I installed iptables, it compiled against 
>  
>
>>the Gentoo kernel headers which had some additional patches to netfilter
>>etc.  I wound up running with a hand made kernel to meet my requirements
>>and I had a lot of hair pulling with that.  After I rebuild iptables 
>>against my kernel headers, everything was fine.
>>    
>>
>
>I have no idea what this means. Are you saying that you had to modify the
kernel/netfilter
>settings and then recompile the kernel? I''ve never heard anyone use
the terms that your using.
>Sorry. :)
>
>If so what kernel are you running and what version of Shorewall are you
running. I''m trying to
>compare my settings to someone else.
>Right now I''m running Kernel-2.4.20-gentoo-r6 and Shorewall
1.4.6c...
>
>Thanks,
>JBanks
>
>  
>
When I built the system, I was using the 2.4.20-gentoo-r6 kernel.  It 
includes a bunch of patches for various things, including a bunch of 
netfilter changes.  It seems that some of those changes alter the 
structures used by iptables to configure things.   When iptables is 
built, it looks for the kernel headers in /usr/src/linux/include which 
is the usual location for them, and that is where gentoo has them.  When 
I went with my own kernel, the headers were not in that location so when 
I rebuilt iptables, it built against the gentoo headers and my problem 
persisted.  After realizing this, I removed gentoo''s symlink for 
/usr/src/linux and pointed it at my kernel sources directory and rebuilt 
iptables and all was well. 

To summarize:
Normally iptables isn''t very kernel specific.  I''ve gone from
RH 6
systems to RH9 and I''ve never had a problem with iptables.  I noticed 
that the gentoo kernel seemed to include the ''newnat'' patches
for
iptables/netfilter that are not in the mainline kernel.  That is likely 
what caused the problem with my installation.  The newnat patches 
provide additional connection tracking modules for things like h.323 but 
significantly alter the NAT/MASQ interfaces for netfilter.

My firewall/masquerade machine is connected to the internet via ppp0 and 
to the internal network of two linux boxen via eth0.  One of the machines 
on the internal network has a printer connected to it; I''d like to be 
able to print to it from the firewall machine.  Is there anything special 
I''ll have to setup in rules or policy to allow this if I''m
using cups on
the firewall machine?

Phil

On Wed, 10 Sep 2003, Phil Tomson wrote:
> 
> My firewall/masquerade machine is connected to the internet via ppp0 and 
> to the internal network of two linux boxen via eth0.  One of the machines 
> on the internal network has a printer connected to it; I''d like to
be
> able to print to it from the firewall machine.  Is there anything special 
> I''ll have to setup in rules or policy to allow this if
I''m using cups on
> the firewall machine?
> 

I figured it out, I needed to add:

ACCEPT          fw        loc           tcp      80,515

to the rules file.

Phil

Excellent explanation.

-----Original Message-----
From: David T Hollis [mailto:dhollis@davehollis.com] 
Sent: Wednesday, September 10, 2003 6:08 PM
To: Shorewall Users Mailing List
Subject: Re: [Shorewall-users] iptables: Invalid argument (found
problem)

Joshua Banks wrote:
>--- David T Hollis <dhollis@davehollis.com> wrote:
>
>  
>
>>I could have saved you a few hours of debugging had I checked the list
>>earlier ;).  I had this problem a week or so ago when I setup a Gentoo
>>system with Shorewall.  
>>    
>>
>
>When I installed iptables, it compiled against 
>  
>
>>the Gentoo kernel headers which had some additional patches to
netfilter 
>>etc.  I wound up running with a hand made kernel to meet my
requirements 
>>and I had a lot of hair pulling with that.  After I rebuild iptables 
>>against my kernel headers, everything was fine.
>>    
>>
>
>I have no idea what this means. Are you saying that you had to modify
the kernel/netfilter
>settings and then recompile the kernel? I''ve never heard anyone use
the
terms that your using.
>Sorry. :)
>
>If so what kernel are you running and what version of Shorewall are you
running. I''m trying to
>compare my settings to someone else.
>Right now I''m running Kernel-2.4.20-gentoo-r6 and Shorewall
1.4.6c...
>
>Thanks,
>JBanks
>
>  
>
When I built the system, I was using the 2.4.20-gentoo-r6 kernel.  It 
includes a bunch of patches for various things, including a bunch of 
netfilter changes.  It seems that some of those changes alter the 
structures used by iptables to configure things.   When iptables is 
built, it looks for the kernel headers in /usr/src/linux/include which 
is the usual location for them, and that is where gentoo has them.  When

I went with my own kernel, the headers were not in that location so when

I rebuilt iptables, it built against the gentoo headers and my problem 
persisted.  After realizing this, I removed gentoo''s symlink for 
/usr/src/linux and pointed it at my kernel sources directory and rebuilt

iptables and all was well. 

To summarize:
Normally iptables isn''t very kernel specific.  I''ve gone from
RH 6
systems to RH9 and I''ve never had a problem with iptables.  I noticed 
that the gentoo kernel seemed to include the ''newnat'' patches
for
iptables/netfilter that are not in the mainline kernel.  That is likely 
what caused the problem with my installation.  The newnat patches 
provide additional connection tracking modules for things like h.323 but

significantly alter the NAT/MASQ interfaces for netfilter.

Hi,

Can I use shorewall to make 2 network "see" each other?
What I want to achive is to make 2 network connect to each other.
Here is what i have done so far:

Linux box (shorewall):
eth0 = 192.168.1.1/255.255.255.0
eth1 = 192.168.2.1/255.255.255.0

Networks:
network 192.168.1.0/24 gateway is 192.168.1.1
network 192.168.2.0/24 gateway is 192.168.2.1

I simply configured shorewall as:

zones:
lan    LAN    local are network
loc    LOC    other network

interface:
lan    eth0    detect
loc    eth1    detect

policy:
all all ACCEPT

routestopped:
eth0    192.168.1.0/24
eth1    192.168.2.0/24

but 2 networks cant ping each other. So its obvious im not doing this right
=).
What are the other things to configure?

Thanks and best regards,
Kenneth Oncinian

Hi Kenneth,

On Fri, 12 Sep 2003, Kenneth Oncinian wrote:
>Can I use shorewall to make 2 network "see" each other?
What you describe is commonly known as "routing".  If that''s
all you want
to do, then you don''t need Shorewall at all.

All you need to do is turn on IP forwarding on the router (the box
that''s
connected to both networks), and then set the default gateway for all the
machines on one LAN to 192.168.1.1 and on all the machines in the other
LAN set the default gateway to 192.168.2.1.

To turn on IP forwarding, run this command as the root user on the router:

cat 1 > /proc/sys/net/ipv4/ip_forward

-Jason

Hello again,

On Thu, 11 Sep 2003, Jason Maas wrote:
>cat 1 > /proc/sys/net/ipv4/ip_forward
Argh...that command is wrong, sorry!  Here is the proper command:

echo 1 > /proc/sys/net/ipv4/ip_forward

It''s past my bedtime...

Jason

Hi Jason,

Thanks for the quick reply, actually i think im missing something here,
192.168.1.0/24 network with gateway 192.168.1.1 can ping 192.168.2.0/24
network but not vice versa.

This is the same with shorewall enabled and with the manual command
ip_route.

Im sure gateway address for 192.168.2.0/24 computers are correct which are
set to 192.168.2.1 but still they cannot ping or connect to 192.168.1.0/24
network.

What am i missing here? kernel is 2.4.20

regards,
Kenneth Oncinian

----- Original Message -----
From: "Jason Maas" <maasj@dm.org>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Friday, September 12, 2003 11:11 AM
Subject: Re: [Shorewall-users] connecting 2 local networks

> Hello again,
>
> On Thu, 11 Sep 2003, Jason Maas wrote:
>
> >cat 1 > /proc/sys/net/ipv4/ip_forward
>
> Argh...that command is wrong, sorry!  Here is the proper command:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> It''s past my bedtime...
>
> Jason
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hi Kenneth,

On Fri, 12 Sep 2003, Kenneth Oncinian wrote:
>This is the same with shorewall enabled and with the manual command
>ip_route.
I''m not sure what you mean by "the manual command ip_route". 
As I said
before, you don''t need Shorewall at all for what you want to do (so
this
discussion doesn''t really belong on this mailing list), so make sure
that
it''s completely disabled and you''re not doing any firewalling.
Make sure
that IP forwarding is turned on.
>Im sure gateway address for 192.168.2.0/24 computers are correct which are
>set to 192.168.2.1 but still they cannot ping or connect to 192.168.1.0/24
>network.
>
>What am i missing here? kernel is 2.4.20
Are the machines in the 192.168.2.0/24 network using IP addresses from
that subnet?  Are their subnet mask set to 192.168.2.255?  Are their
routing tables properly configured?

Can the router ping anything in the 192.168.2.0/24 network?

Are you doing the testing by host name or IP address?  Use IP addresses to
take DNS out of the picture.

If you still can''t get it to work, then sniffing the wire with ethereal
or
tcpdump might shed some light on the problem.

Jason

On Tue, 9 Sep 2003, Phil Tomson wrote:
>
>
> I was starting shorewall _after_ ppp0 was up.
>
Possible causes are:

a) Kernel built without Masquerade support of ipt_MASQUERADE module not
loaded.
b) Version mismatch between kernel Netfilter code and iptables. Often
caused by installing new iptables utility into /usr/local/sbin when the
old iptables is still present in /sbin

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 12 Sep 2003, Kenneth Oncinian wrote:
> Hi,
>
> Can I use shorewall to make 2 network "see" each other?
> What I want to achive is to make 2 network connect to each other.
> Here is what i have done so far:
>
> Linux box (shorewall):
> eth0 = 192.168.1.1/255.255.255.0
> eth1 = 192.168.2.1/255.255.255.0
>
> Networks:
> network 192.168.1.0/24 gateway is 192.168.1.1
> network 192.168.2.0/24 gateway is 192.168.2.1
>
> I simply configured shorewall as:
>
> zones:
> lan    LAN    local are network
> loc    LOC    other network
>
> interface:
> lan    eth0    detect
> loc    eth1    detect
>
> policy:
> all all ACCEPT
>
> routestopped:
> eth0    192.168.1.0/24
> eth1    192.168.2.0/24
>
> but 2 networks cant ping each other. So its obvious im not doing this right
> =).
> What are the other things to configure?
>
For what you want to do, there is ABSOLUTELY NO REASON TO USE SHOREWALL.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net