Shorewall users - Aug 2004 - MASQUERADE problem again...

Dear list members,

Masquerading does''not work for me. This is a Mandrake Linux 10 system, 
but I use another kernel, that included in the original distribution 
(original: 2.6.3, now used 2.6.8 because of a lot of suck with OpenSwan 
with kernels prior 2.6.4).

The problem seems to be similar or identical mentioned here:

http://archives.msfree.ca/shorewall-users@shorewall.net/2003-09/msg00491.html

The difference in contrast the above post is :

IN THE POST: "The same command line that fails with -A ppp0_masq succeeds
with -A POSTROUTING."

AT MY HOST: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -j
MASQUERADE iptables: Invalid argument


I tried some variation:

iptables-1.2.9

kernel-2.4.25.7mdk-1-1mdk (default 2.4 in MDK10)
kernel-i686-up-4GB-2.6.3.15mdk
kernel-i686-up-4GB-2.6.8.1.1mdk

shorewall-2.0.7-1mdk.noarch
shorewall-2.1.4-1.noarch


The result was always the same -- see below. The failed command works 
without the -j MASQUERADE option only:

iptables -t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0  <-- OK.

It seems, my system (any variations of the listed components above) cant 
jump to MASQUERADE target.

Is there a known solution, workaround etc. related to the problem?
Is it a frequent  symptom? Or I misconfigured something...?

Have a nice day: Balázs NÉMETH, Hungary, Budapest

+ echo ''Masqueraded Networks and Hosts:''
+ save_progress_message ''Restoring Masquerading/SNAT...''
+ echo
+ echo ''progress_message "Restoring
Masquerading/SNAT..."''
+ echo
+ read fullinterface networks addresses proto ports ipsec
+ expandv fullinterface networks addresses proto ports ipsec
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$fullinterface''
++ varval=eth0
+ eval ''fullinterface="eth0"''
++ fullinterface=eth0
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$networks''
++ varval=eth1
+ eval ''networks="eth1"''
++ networks=eth1
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$addresses''
++ varval+ eval ''addresses=""''
++ addresses+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$proto''
++ varval+ eval ''proto=""''
++ proto+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$ports''
++ varval+ eval ''ports=""''
++ ports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$ipsec''
++ varval+ eval ''ipsec=""''
++ ipsec+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' -n Yes '']''
+ setup_one
+ local add_snat_aliases=, pre_nat= policy+ ''['' x = x-
'']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ destnets=0.0.0.0/0
+ interface=eth0
+ list_search eth0 eth0 eth1 eth2
+ local e=eth0
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xeth0 = xeth0 '']''
+ return 0
+ ''['' eth1 = eth1 '']''
+ nomasq+ source=eth1
++ get_routed_networks eth1
++ local address
++ local rest
++ ip route show dev eth1
++ read address rest
++ ''['' x192.168.4.0/24 = xdefault '']''
++ ''['' 192.168.4.0/24 = 192.168.4.0 '']''
++ echo 192.168.4.0/24
++ read address rest
+ networks=192.168.4.0/24
+ ''['' -z 192.168.4.0/24 '']''
+ networks=192.168.4.0/24
+ ''['' x = x- '']''
+ ''['' -n '''' -a -n , '']''
+ ''['' x = x- '']''
+ ''['' x = x- '']''
+ ''['' -n '''' '']''
+ displayproto=(all)
+ ''['' -n '''' '']''
+ destination=0.0.0.0/0
+ ''['' -z '''' '']''
++ masq_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_masq
+ chain=eth0_masq
+ ''['' -n '''' '']''
+ addrlist+ ''['' -n '''' '']''
+ ''['' -n 192.168.4.0/24 '']''
+ ''['' -n '''' '']''
++ separate_list 0.0.0.0/0
++ local list
++ local part
++ local newlist
++ list=0.0.0.0/0
++ part=0.0.0.0/0
++ newlist=0.0.0.0/0
++ ''['' x0.0.0.0/0 ''!='' x0.0.0.0/0
'']''
++ echo 0.0.0.0/0
+ addnatrule eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ensurenatchain eth0_masq
+ havenatchain eth0_masq
+ eval test ''"$exists_nat_eth0_masq"'' = Yes
++ test '''' = Yes
+ createnatchain eth0_masq
+ run_iptables -t nat -N eth0_masq
+ ''['' -n '''' '']''
+ iptables -t nat -N eth0_masq
+ eval exists_nat_eth0_masq=Yes
++ exists_nat_eth0_masq=Yes
+ run_iptables2 -t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j 
MASQUERADE
+ ''['' ''x-t nat -A eth0_masq -s 192.168.4.0/24 -d
0.0.0.0/0 -j
MASQUERADE'' = ''x-t nat -A eth0_masq -s 192.168.4.0/24 -d
0.0.0.0/0 -j
MASQUERADE'' '']''
+ run_iptables -t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j 
MASQUERADE
+ ''['' -n '''' '']''
+ iptables -t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables: Invalid argument
+ ''['' -z '''' '']''
+ error_message ''ERROR: Command "iptables -t'' nat -A
eth0_masq -s
192.168.4.0/24 -d 0.0.0.0/0 -j ''MASQUERADE" Failed''
+ echo ''   ERROR: Command "iptables -t'' nat -A eth0_masq
-s
192.168.4.0/24 -d 0.0.0.0/0 -j ''MASQUERADE" Failed''
   ERROR: Command "iptables -t nat -A eth0_masq -s 192.168.4.0/24 -d 
0.0.0.0/0 -j MASQUERADE" Failed
+ stop_firewall
+ ''['' -n /var/lib/shorewall/shorewall.1l2H6U
'']''
+ rm -f /var/lib/shorewall/shorewall.1l2H6U
+ set +x

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NÉMETH Balázs wrote:
|
| AT MY HOST: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d
| 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument

This is not a Shorewall problem -- your iptables is compiled against
kernel headers that are incompatible with the kernel you are running.
You have to rebuild iptables against your current kernel headers and
adjust the PATH variable in /etc/shorewall/shorewall.conf to run your
new iptables (which will be installed in /usr/local/sbin by default).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBI/eVO/MAbZfjDLIRArmzAJsF+cQYlZ5nHQNmwCYlkLhhIw9NAACcDYk0
/8M9zKyNLOwSXYJaem95u5E=yJVX
-----END PGP SIGNATURE-----

Dear Tom,

you are right absolutely.

THANK YOU for the immediate answer. It was helpful and perfect. It is 
very friendly not to answer:  "RTFM and FAQ, guy!". I have read the
FAQ,
and mailing list and Google but I missed (typical stupid user):

*(FAQ 27a) I just built and installed a new kernel and now Shorewall 
won''t start. I know that my kernel options are correct.*

It was little hard to compile iptables from source for me, but I think 
it was a right decision (and an advanced lesson) to replace firestarter 
with shorewall.

You are a cool guy: Balázs NÉMETH, Budapest

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> NÉMETH Balázs wrote:
> |
> | AT MY HOST: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d
> | 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument
>
> This is not a Shorewall problem -- your iptables is compiled against
> kernel headers that are incompatible with the kernel you are running.
> You have to rebuild iptables against your current kernel headers and
> adjust the PATH variable in /etc/shorewall/shorewall.conf to run your
> new iptables (which will be installed in /usr/local/sbin by default).
>
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBI/eVO/MAbZfjDLIRArmzAJsF+cQYlZ5nHQNmwCYlkLhhIw9NAACcDYk0
> /8M9zKyNLOwSXYJaem95u5E> =yJVX
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

I suggest te extend FAQ 27a:

*(FAQ 27a) I just built and installed a new kernel and now Shorewall 
won''t start. I know that my kernel options are correct.*

I _did not_ built a new kernel, just install one from an unofficial rpm 
(rpmfind.net). I replace the "factory default".
But the error -- and the remedy --  was the same as described in FAQ27a. 
But because FAQ start with "I just built a new kernel",  I skip it.

I suggest:

*(FAQ 27a) I  just built (or download; copy from CD etc.-etc.) and 
installed a new kernel **and now Shorewall won''t start. **I know that
my
kernel options are correct.*

Balázs

NÉMETH Balázs wrote:
> Dear Tom,
>
> you are right absolutely.
>
> THANK YOU for the immediate answer. It was helpful and perfect. It is 
> very friendly not to answer:  "RTFM and FAQ, guy!". I have read
the
> FAQ, and mailing list and Google but I missed (typical stupid user):
>
> *(FAQ 27a) I just built and installed a new kernel and now Shorewall 
> won''t start. I know that my kernel options are correct.*
>
> It was little hard to compile iptables from source for me, but I think 
> it was a right decision (and an advanced lesson) to replace 
> firestarter with shorewall.
>
> You are a cool guy: Balázs NÉMETH, Budapest
>
> Tom Eastep wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> NÉMETH Balázs wrote:
>> |
>> | AT MY HOST: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d
>> | 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument
>>
>> This is not a Shorewall problem -- your iptables is compiled against
>> kernel headers that are incompatible with the kernel you are running.
>> You have to rebuild iptables against your current kernel headers and
>> adjust the PATH variable in /etc/shorewall/shorewall.conf to run your
>> new iptables (which will be installed in /usr/local/sbin by default).
>>
>> - -Tom
>> - --
>> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>> Shoreline,     \ http://shorewall.net
>> Washington USA  \ teastep@shorewall.net
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFBI/eVO/MAbZfjDLIRArmzAJsF+cQYlZ5nHQNmwCYlkLhhIw9NAACcDYk0
>> /8M9zKyNLOwSXYJaem95u5E>> =yJVX
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe: 
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.ht
> m

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NÉMETH Balázs wrote:
| I suggest te extend FAQ 27a:
|
| *(FAQ 27a) I just built and installed a new kernel and now Shorewall
| won''t start. I know that my kernel options are correct.*
|
| I _did not_ built a new kernel, just install one from an unofficial rpm
| (rpmfind.net). I replace the "factory default".
| But the error -- and the remedy --  was the same as described in FAQ27a.
| But because FAQ start with "I just built a new kernel",  I skip it.
|
| I suggest:
|
| *(FAQ 27a) I  just built (or download; copy from CD etc.-etc.) and
| installed a new kernel **and now Shorewall won''t start. **I know that
my
| kernel options are correct.*
|

Will do.

Thanks,
- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBJMirO/MAbZfjDLIRAsxiAKDDs6tONqHxfY93KEyfYhRyswGq+ACgxqk8
vjLp5SLQNYRsgsg+6ID3Hho=pq3V
-----END PGP SIGNATURE-----