thr3ads.net - Shorewall users - shorewall reinstall [Dec 2003]

If this information is useful, please help other people find it:
Share via:

chris

2003-Dec-30 19:11 UTC

shorewall reinstall

I decided after a year to update my firewall install. Going from Redhat 7.2
and shorewall 1.2.x to Mandrake 9.2 and shorewall 1.4.8. I''ve compiled
a new
2.4.23 kernel with the appropriate network options, but I keep getting an
iptables error if I have anything in the masq file. If the masq file is
empty shorewall starts fine but I obviously cant do anything from my
network.. I''ve even used the sample files from the two-interface config
on
the shorewall site and it resulted in the same error.. 

Heres some output for debugging:
> shorewall version1.4.8
> ip addr show1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:56:b7:d6 brd ff:ff:ff:ff:ff:ff
    inet 216.231.50.32/24 brd 216.231.50.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:90:27:a5:59:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth1
> ip route show192.168.1.0/24 dev eth1  scope link 
216.231.50.0/24 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default via 216.231.50.1 dev eth0 
> output of trace+ eval exists_nat_eth0_masq=Yes
++ exists_nat_eth0_masq=Yes
+ run_iptables2 -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE
+ ''['' ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d
0.0.0.0/0 -j
+ MASQUERADE''
= ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE'' '']''
+ run_iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE
+ iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x

Tom Eastep

2003-Dec-30 19:21 UTC

head link

Re: shorewall reinstall

On Tuesday 30 December 2003 11:11 am, chris wrote:> I decided after a year to update my firewall install. Going from Redhat 7.2
> and shorewall 1.2.x to Mandrake 9.2 and shorewall 1.4.8. I''ve
compiled a
> new 2.4.23 kernel with the appropriate network options, but I keep getting
> an iptables error if I have anything in the masq file. If the masq file is
> empty shorewall starts fine but I obviously cant do anything from my
> network.. I''ve even used the sample files from the two-interface
config on
> the shorewall site and it resulted in the same error..
>
> > output of trace
>
> + eval exists_nat_eth0_masq=Yes
> ++ exists_nat_eth0_masq=Yes
> + run_iptables2 -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> + ''['' ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d
0.0.0.0/0 -j
> + MASQUERADE''
> = ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE'' '']''
> + run_iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> + iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> iptables: Invalid argument
> + ''['' -z '''' '']''
> + stop_firewall
> + set +x
This almost always means that iptables was compiled against a different 
version of the netfilter headers than are in the current kernel.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

chris

2003-Dec-30 19:23 UTC

head link

RE: shorewall reinstall

Hmmm. Ok, I''ll reinstall iptables and see what happens. 

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, December 30, 2003 11:21 AM
To: Mailing List for Experienced Shorewall Users; chris
Subject: Re: [Shorewall-users] shorewall reinstall

On Tuesday 30 December 2003 11:11 am, chris wrote:> I decided after a year to update my firewall install. Going from
Redhat 7.2> and shorewall 1.2.x to Mandrake 9.2 and shorewall 1.4.8. I''ve
compiled
a> new 2.4.23 kernel with the appropriate network options, but I keep
getting> an iptables error if I have anything in the masq file. If the masq
file is> empty shorewall starts fine but I obviously cant do anything from my
> network.. I''ve even used the sample files from the two-interface
config on> the shorewall site and it resulted in the same error..
>
> > output of trace
>
> + eval exists_nat_eth0_masq=Yes
> ++ exists_nat_eth0_masq=Yes
> + run_iptables2 -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> + ''['' ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d
0.0.0.0/0 -j
> + MASQUERADE''
> = ''x-t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
MASQUERADE''
'']''> + run_iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> + iptables -t nat -A eth0_masq -s 192.168.1.0/24 -d 0.0.0.0/0 -j
> MASQUERADE
> iptables: Invalid argument
> + ''['' -z '''' '']''
> + stop_firewall
> + set +x
This almost always means that iptables was compiled against a different 
version of the netfilter headers than are in the current kernel.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Dec-30 19:37 UTC

head link

Re: shorewall reinstall

On Tuesday 30 December 2003 11:23 am, chris wrote:> Hmmm. Ok, I''ll reinstall iptables and see what happens.
You have to REBUILD iptables using the 2.4.23 kernel headers. By default, 
iptables installs into /usr/local/sbin so you need to adjust the PATH in 
/etc/shorewall/shorewall.conf to ensure that this version will be executed. 

This will allow you to use /sbin/iptables when running a standard mandrake 
kernel and /usr/local/sbin/iptables when you are running your own kernel.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

chris

2003-Dec-30 20:03 UTC

head link

RE: shorewall reinstall

That worked. With a removal of the Mandrake rpm and installing the 1.2.9
iptables against the 2.4.23 kernel I was able to get it started. Now I
remember having to do this a year ago.. guess I''m outta practice..
thanks Tom

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, December 30, 2003 11:38 AM
To: Mailing List for Experienced Shorewall Users; chris
Subject: Re: [Shorewall-users] shorewall reinstall

On Tuesday 30 December 2003 11:23 am, chris wrote:> Hmmm. Ok, I''ll reinstall iptables and see what happens.
You have to REBUILD iptables using the 2.4.23 kernel headers. By
default, 
iptables installs into /usr/local/sbin so you need to adjust the PATH in

/etc/shorewall/shorewall.conf to ensure that this version will be
executed. 

This will allow you to use /sbin/iptables when running a standard
mandrake 
kernel and /usr/local/sbin/iptables when you are running your own
kernel.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Dec 2003 - shorewall reinstall

shorewall reinstall

Re: shorewall reinstall

RE: shorewall reinstall

Re: shorewall reinstall

RE: shorewall reinstall