Shorewall users - Nov 2007 - Unknown arg `--to-destination'

gravity paul # /etc/init.d/shorewall start
 * Starting firewall ...
iptables v1.3.8: Unknown arg `--to-destination''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -t nat -A common_in -d eth1 -j DNAT
--to-destination" Failed
/sbin/shorewall: line 375:  7474 Terminated              ${VARDIR}/.start
$debugging start                 [ !! ]

AFAIK its a 2 -interface connection . eth1 get an address by DHCP  and is
giving out on eth0 176.0.0.x to a few clients.

gravity paul # shorewall show
Shorewall 3.4.6 filter Table at gravity - Wed Nov 21 19:54:15 GMT 2007

Counters reset Fri Jan 12 08:51:25 UTC 2007

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
    1   236 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
gravity paul # shorewall dump
Shorewall 3.4.6 Dump at gravity - Wed Nov 21 19:54:55 GMT 2007

Counters reset Fri Jan 12 08:51:25 UTC 2007

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
    1   236 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Log (/var/log/messages)


NAT Table

Chain PREROUTING (policy ACCEPT 1 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Mangle Table

Chain PREROUTING (policy ACCEPT 1 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain INPUT (policy ACCEPT 1 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 545 packets, 110K bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Conntrack Table

tcp      6 431866 ESTABLISHED src=192.168.0.4 dst=216.113.188.37
sport=53326 dport=80 packets=1 bytes=40 [UNREPLIED] src=216.113.188.37
dst=192.168.0.4 sport=80 dport=53326 packets=0 bytes=0 mark=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 1000
    link/ether 00:0e:a6:b4:47:65 brd ff:ff:ff:ff:ff:ff
    inet 176.0.0.1/24 brd 176.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:0c:f1:2f:d2:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.4/24 brd 192.168.0.255 scope global eth1

IP Stats

1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    10421      183      0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    10421      183      0       0       0       0
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 1000
    link/ether 00:0e:a6:b4:47:65 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:0c:f1:2f:d2:bb brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    1474456    1307     0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    164686     1093     0       0       0       0

/proc

   /proc/version = Linux version 2.6.22-gentoo-r8 (root@gravity) (gcc
version 4.1.2 (Gentoo 4.1.2)) #5 PREEMPT Wed Nov 21 19:36:46 GMT 2007
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table default:


Table local:

broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src 192.168.0.4
broadcast 176.0.0.255 dev eth0  proto kernel  scope link  src 176.0.0.1
broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src 192.168.0.4
broadcast 176.0.0.0 dev eth0  proto kernel  scope link  src 176.0.0.1
local 176.0.0.1 dev eth0  proto kernel  scope host  src 176.0.0.1
local 192.168.0.4 dev eth1  proto kernel  scope host  src 192.168.0.4
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.0.0/24 dev eth1  scope link  metric 2000
176.0.0.0/24 dev eth0  proto kernel  scope link  src 176.0.0.1
169.254.0.0/16 dev eth1  scope link  metric 2000
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth1  metric 2000

ARP

? (192.168.0.1) at 00:1B:2F:A1:9B:62 [ether] on eth1

Modules

ip_tables               9032  4
iptable_raw,iptable_mangle,iptable_nat,iptable_filter
ipt_ECN                 2432  0
ipt_LOG                 5248  0
ipt_MASQUERADE          2560  0
ipt_NETMAP              1792  0
ipt_REDIRECT            1792  0
ipt_REJECT              3328  0
ipt_SAME                1920  0
ipt_TOS                 1792  0
ipt_TTL                 1920  0
ipt_ULOG                6148  0
ipt_addrtype            1664  0
ipt_ah                  1664  0
ipt_ecn                 1920  0
ipt_iprange             1664  0
ipt_owner               1792  0
ipt_recent              7064  0
ipt_tos                 1408  0
ipt_ttl                 1664  0
iptable_filter          2304  1
iptable_mangle          2176  0
iptable_nat             5636  0
iptable_raw             1920  0
nf_conntrack           47832  8
xt_state,xt_CONNMARK,xt_connmark,xt_conntrack,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_ipv4      12556  4 iptable_nat
nf_nat                 13996  5
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat
xt_CLASSIFY             1664  0
xt_CONNMARK             2304  0
xt_MARK                 2048  0
xt_comment              1664  0
xt_connmark             1920  0
xt_conntrack            2304  0
xt_length               1792  0
xt_multiport            2816  0
xt_physdev              2320  0
xt_pkttype              1664  0
xt_policy               3200  0
xt_state                2048  2
xt_tcpmss               1920  0
xt_tcpudp               2816  0

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Not available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Not available

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0

Device eth1:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 171244 bytes 1093 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0


TC Filters

Device eth0:

Device eth1:

gravity paul #




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

paul cooper wrote:
> gravity paul # /etc/init.d/shorewall start
>  * Starting firewall ...
> iptables v1.3.8: Unknown arg `--to-destination''
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -t nat -A common_in -d eth1 -j DNAT
> --to-destination" Failed
> /sbin/shorewall: line 375:  7474 Terminated              ${VARDIR}/.start
> $debugging start                 [ !! ]
Unfortunately, you included the information needed when Shorewall starts
but doesn''t work correctly. We need you to follow the instructions for
reporting a problem where Shorewall fails to start

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

thanks - sorry to be so stupid. I admire your patience !
this is the last bit of
 shorewall debug start 2>  /tmp/trace

+ ''['' -f /var/lib/shorewall/rt_tables '']''
+ ''['' -f /var/lib/shorewall/undo_routing '']''
+ restore_default_route
+ ''['' -z '''' -a -f
/var/lib/shorewall/default_route '']''
+ progress_message2 ''Setting up one-to-one NAT...''
+ local timestamp+ ''['' 1 -gt 0 '']''
+ ''['' -n '''' '']''
+ echo ''Setting up one-to-one NAT...''
+ del_ip_addr eth1
++ find_first_interface_address_if_any
+++ ip -f inet addr show
+++ grep ''inet .* global''
+++ head -n1
++ addr=''    inet 176.0.0.1/24 brd 176.0.0.255 scope global
eth0''
++ ''['' -n ''    inet 176.0.0.1/24 brd 176.0.0.255
scope global eth0'' '']''
++ echo inet 176.0.0.1/24 brd 176.0.0.255 scope global eth0
++ sed ''s/\s*inet //;s/\/.*//;s/ peer.*//''
+ ''['' 176.0.0.1 = eth1 '']''
+ qt ip addr del eth1 dev
+ ip addr del eth1 dev
+ run_iptables -t nat -N common_in
+ ''['' -n '''' '']''
+ /sbin/iptables -t nat -N common_in
+ ''['' 0 -ne 0 '']''
+ run_iptables -t nat -A common_in -d eth1 -j DNAT --to-destination
+ ''['' -n '''' '']''
+ /sbin/iptables -t nat -A common_in -d eth1 -j DNAT --to-destination
iptables v1.3.8: Unknown arg `--to-destination''
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' 2 -ne 0 '']''
+ error_message ''ERROR: Command "/sbin/iptables -t'' nat
-A common_in -d
eth1 -j DNAT ''--to-destination" Failed''
+ echo ''   ERROR: Command "/sbin/iptables -t'' nat -A
common_in -d eth1 -j
DNAT ''--to-destination" Failed''
   ERROR: Command "/sbin/iptables -t nat -A common_in -d eth1 -j DNAT
--to-destination" Failed
+ stop_firewall
+ case $COMMAND in
+ set +x
/sbin/shorewall: line 375: 10790 Terminated              ${VARDIR}/.start
$debugging start
gravity paul #





-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

paul cooper wrote:
> thanks - sorry to be so stupid. I admire your patience !
> this is the last bit of
What do you have in the /etc/shorewall/nat file?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

gravity paul # grep ^[A-Za-z] /etc/shorewall/nat
eth1
gravity paul #

it went in whilst I was trygin to work out what was wrong when I was
missing some kernel modules

taking it and starting shorewall gives me this
gravity paul # /etc/init.d/shorewall start
 * Starting firewall ...
WARNING: default route ignored on interface eth1                          
                                [ ok ]
gravity paul #

I cant connect this all up until tomorrow (uk time) . Am i in business ?



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

paul cooper wrote:
> gravity paul # grep ^[A-Za-z] /etc/shorewall/nat
> eth1
> gravity paul #
> 
> it went in whilst I was trygin to work out what was wrong when I was
> missing some kernel modules
> 
> taking it and starting shorewall gives me this
> gravity paul # /etc/init.d/shorewall start
>  * Starting firewall ...
> WARNING: default route ignored on interface eth1                          
>                                 [ ok ]
> gravity paul #
> 
> I cant connect this all up until tomorrow (uk time) . Am i in business ?
> 
The WARNING suggests that you have the interfaces in /etc/shorewall/masq
reversed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/