Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problems with Iptables howto
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 11:24 am    Post subject: Problems with Iptables howto Reply with quote

I'm trying to get NAT working on my server... and well it's not.

I've followed this HOWTO to no avail:
https://forums.gentoo.org/viewtopic-t-159133-postdays-0-postorder-asc-highlight-iptables+howto-start-0.html

iptables is compiled into the kernel, but when I try to run the script included in the HOWTO:

Code:

 #!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'

# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
                                                                               
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
                                                                               
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
                                                                               
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
                                                                               
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
                                                                               
#echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
                                                                               
#echo -e "       - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
                                                                               
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP


through the command /etc/init.d/iptables start

I get a series of errors, found here: http://www.odioworks.com/iptables.txt

Any ideas?
Back to top
View user's profile Send private message
mens
Guru
Guru


Joined: 27 Aug 2003
Posts: 392
Location: Belgium

PostPosted: Thu Apr 07, 2005 11:31 am    Post subject: Reply with quote

remove the space in front of #!/bin/bash on line 1
Back to top
View user's profile Send private message
peka
l33t
l33t


Joined: 16 Mar 2005
Posts: 773
Location: Płońsk, Poland

PostPosted: Thu Apr 07, 2005 11:34 am    Post subject: Reply with quote

just guessing..
didn't try this howto yet...
but...

try:
Code:
echo $IPTABLES

to check if you have '/sbin/iptables' there
and see if you have '/sbin/iptables' at all
_________________
p3k4

Seize the time, Meribor. Live now; make now always the most precious time. Now will never come again...
Jean-Luc Picard, Star Trek TNG - The Inner Light
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Thu Apr 07, 2005 12:46 pm    Post subject: Reply with quote

Do as mens suggests (remove the space), if that's not it, post the results of:
Code:

whereis iptables
emerge -s iptables

To find the iptables bin & check that iptables is emerged.

If this still not the problem, then perhaps your iptables is compiled as kernel module and not loaded, in which case you might want to add something like:
Code:
for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do
   echo "Loading ${MODULE}"
   modprobe $MODULE
done
# (you'll need to check the above, only have access to an AIX box right now & there's no gnu egrep or find
# so I can't test the "-print %f" and 'egrep -o .... '

before your first use of the $IPTABLES var in your script. (note, if it works, it'll load all netfilter modules your kernel has built .. )
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 5:02 pm    Post subject: Reply with quote

Yah iptables is built into the kernel - not loaded. I didn't realize this would be an issue.

I will try adding that script & get back to you.


FYI:
Once I removed the space I get this error:
http://odioworks.com/iptables.txt

And here is the output from whereis iptables:
http://odioworks.com/iptables2.txt
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 5:07 pm    Post subject: Reply with quote

would it be better for me to just recompile my kernel with this as modules & not built into it?

Also another tidbit of info that I forgot to include:
modprobe ip_tables returns error "FATAL: Module ip_tables not found"
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Thu Apr 07, 2005 5:42 pm    Post subject: Reply with quote

odioworks_com wrote:
would it be better for me to just recompile my kernel with this as modules & not built into it?

Also another tidbit of info that I forgot to include:
modprobe ip_tables returns error "FATAL: Module ip_tables not found"


When you say built in; do you mean as a module or built into the kernel itself?
You can check with:
Code:
gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)"

_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 6:07 pm    Post subject: Reply with quote

as far as I know it's built in directly to the kernel.

Here's the output from the command
gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)"

http://www.odioworks.com/gzcat.txt
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 6:13 pm    Post subject: Reply with quote

hm..

I tried adding this code before $IPTABLES

Code:
for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do
   echo "Loading ${MODULE}"
   modprobe $MODULE
done


but I still get this error:
http://www.odioworks.com/iptables3.txt
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Thu Apr 07, 2005 6:32 pm    Post subject: Reply with quote

Did you remove the space before "#!/bin/bash" ?
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 7:08 pm    Post subject: Reply with quote

I did remove the space.

Here is my exact IP tables script. Notice I commented out the code for the second internal interface (I only have one).

http://www.odioworks.com/iptables_code.txt


-s
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 7:56 pm    Post subject: Reply with quote

I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine. Would this be the problem?

-s
Back to top
View user's profile Send private message
throck
n00b
n00b


Joined: 10 Apr 2004
Posts: 39

PostPosted: Thu Apr 07, 2005 8:37 pm    Post subject: Reply with quote

odioworks_com wrote:
I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine.

Nope. The ip_forward file is not a file on a real filesystem (as far as I understand it anyway). It has to be created on each boot, which is why you have the line that says "echo 1 > /proc/sys/net/ipv4/ip_forward". That essentially creates a text file containing the number "1" in it, which tells the kernel (or iptables) that forwarding should be enabled.

The problem seems to be that the "#!/bin/bash" line, which tells the shell which program to use to execute this script, is the line giving the error. For some reason it can't find /bin/bash. Could be a permissions issue, although it's doubtful since you are probably using the bash shell currrently. Unfortunately I can't help much more than that at this point.
_________________
Adopt an Unanswered Post Initiative
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Thu Apr 07, 2005 9:45 pm    Post subject: Reply with quote

hmmmmmmmm

this could very well be related to a previous problem I had... I am embarassed to say

see:
https://forums.gentoo.org/viewtopic-t-320349-highlight-.html

I assumed the problem was fixed when I sucessfully re-emerged bash.
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Fri Apr 08, 2005 7:56 am    Post subject: Reply with quote

odioworks_com wrote:
hmmmmmmmm

this could very well be related to a previous problem I had... I am embarassed to say

see:
https://forums.gentoo.org/viewtopic-t-320349-highlight-.html

I assumed the problem was fixed when I sucessfully re-emerged bash.


Lol! most likely, cat /bin/bash & see if its still your firewall script .... if it is, copy it somewhere, rm -f /bin/bash and re-emerge bash. Use the live cd if you need to.
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
odioworks_com
Tux's lil' helper
Tux's lil' helper


Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia

PostPosted: Fri Apr 08, 2005 3:56 pm    Post subject: Reply with quote

nah when I cat it - it's obviously /bin/bash.

I had re-emerged bash before starting this post - which I think fixed the problem.

So I'm still stuck here:

/etc/init.d/iptables
: No such file or directory

Maybe there's an easier way to set up iptables? I heard about firehol but seemed more complicated then a straight script when I tried to use it. Speaking of which - could the fact that I previously merged firehol and then unmerged it be a problem?

-s
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum