Hi Everybody, I have a quite weird problem. My new NAT/firewall box fails to work. Details: Mandrake 10.2, with: kernel-2.6.11-12mdk iptables-1.2.9-8mdk shorewall-2.4.4-1mdk The error: shorewall start, dies at: Masqueraded Networks and Hosts: iptables: Invalid argument ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s 10.0.0.0/8 -d 0.0.0.0/0 -j MASQUERADE" Failed my masq file is: eth0 eth2 eth1 eth2 (two Internet providers at eth0 and eth1 and a LAN at eth2) After that error #iptables -t nat -L eth0_masq gives: iptables: Table does not exist (do you need to insmod?) So it seems, that the iptables command tries to add a rule to the eth0_masq chain, which it failed to create! Thanks for any idea! Geza Gemes ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Gémes Géza wrote:> > Thanks for any idea! >Mandrake 10.2 is broken -- one user on IRC claimed to have fixed the problem by removing the ip6tables package so you might try that. The "invalid argument" error on a MASQ, DNAT or REDIRECT rule means that the iptables user space tools is incompatible with the running kernel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep írta:>Gémes Géza wrote: > > > >>Thanks for any idea! >> >> >> > >Mandrake 10.2 is broken -- one user on IRC claimed to have fixed the >problem by removing the ip6tables package so you might try that. > >The "invalid argument" error on a MASQ, DNAT or REDIRECT rule means that >the iptables user space tools is incompatible with the running kernel. > >-Tom > >Tomorrow I''ll switch it to Debian But I have a Mandrake 10.2 box working in the same config, except that with only one net zone. It has shorewall-2.0.17, the one shipped with 10.2, the same was installed on the failing box before I upgraded it to 2.4.4 trying to fix the problem :-( BTW ip6tables weren''t installed on any of the boxes (the working and the failing). Thanks Geza ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Gémes Géza wrote:> Tomorrow I''ll switch it to Debian > > But I have a Mandrake 10.2 box working in the same config, except that > with only one net zoneAnd it doesn''t do MASQ, REDIRECT or DNAT, does it? Those rules are always where iptables/kernel incompatibilities show up.> It has shorewall-2.0.17, the one shipped with > 10.2, the same was installed on the failing box before I upgraded it to > 2.4.4 trying to fix the problem :-(Read my lips: *This is not a Shorewall problem* -- It is just one more example of Mandrake/Mandriva''s lousy quality control (which was the reason that I stopped using that distribution and why I left their insider''s club -- when I installed an update and the spooler stopped working, I gave up on them). And if they are shipping Shorewall 2.0.17 with their latest release, they are about to be left behind; 2.0.x support will cease by the end of the year.> BTW ip6tables weren''t installed on any of the boxes (the working and the > failing).Have you checked the Mandriva updates (Mandrake no longer exists)? They may have realized that they have a problem. I was unclear from IRC whether the poster removed ip6tables only or if he removed ip6tables AND installed an update. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep írta:>Gémes Géza wrote: > > > >>Tomorrow I''ll switch it to Debian >> >>But I have a Mandrake 10.2 box working in the same config, except that >>with only one net zone >> >> > >And it doesn''t do MASQ, REDIRECT or DNAT, does it? Those rules are >always where iptables/kernel incompatibilities show up. > > > >>It has shorewall-2.0.17, the one shipped with >>10.2, the same was installed on the failing box before I upgraded it to >>2.4.4 trying to fix the problem :-( >> >> > >Read my lips: *This is not a Shorewall problem* -- It is just one more >example of Mandrake/Mandriva''s lousy quality control (which was the >reason that I stopped using that distribution and why I left their >insider''s club -- when I installed an update and the spooler stopped >working, I gave up on them). And if they are shipping Shorewall 2.0.17 >with their latest release, they are about to be left behind; 2.0.x >support will cease by the end of the year. > > > >>BTW ip6tables weren''t installed on any of the boxes (the working and the >>failing). >> >> > >Have you checked the Mandriva updates (Mandrake no longer exists)? They >may have realized that they have a problem. I was unclear from IRC >whether the poster removed ip6tables only or if he removed ip6tables AND >installed an update. > >-Tom > >Sorry for producing noise: The working box has MASQ only and no DNAT nor REDIRECT, the not working one had just MASQ and no DNAT nor REDIRECT Both were up to date (the failing one has now Debian on it, I haven''t had the time to install shorewall on it yet) Thanks Geza ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl