old firewall script no longer works -- SOLVED

[Moriah]

I just had my gateway firewall/router machine die.

I replaced the ancient machine with a new one, but the ancient (many years old) firewall script doesn't work with the new up to date machine's version of iptables.

It cannot find the 'nat' table, and it cannot find the 'LOG' extension.

I am temporarilu connected via wifi to get on the internat to ask this question, so I cannot copy/paste the exact error message iptables is giving me, but in both cases, it mentions something about a missing kernel module.

Can anybody hep me get this working?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

The kernel module message is likely the explanation. Both the nat table and the LOG target are optional kernel features. You may not have them enabled in your new kernel. I believe you want at least NF_NAT=y, IP_NF_NAT=y, and probably NF_NAT_MASQUERADE=y to solve the nat error. You probably want NF_LOG_IPV4=y for the LOG target. If adding those does not work, post back and someone can research this for you. Those names are picked from memory.

[Moriah]

Thanks! I'll give it a try later tonight and post back either way.

This is my gateway firewall, so it does static nat for the dmz. I have a separate choke firewall that does masquerade from the lan to the dmz, and then the choke gets static natted to the internet thru the gateway firewall. Therefore, I do not need masquerade on this firewall, only static nat.

Can I build these kernel features as loadable modules, or do I need to build an entirely new kernel?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

Sometimes you can just build a module, but that is not guaranteed to work. I do not know whether it will work in this particular case. If it fails, the typical failure mode is that the module can be built, but cannot be loaded due to missing symbols, so it is usually safe to try this. At worst, you will need to go back and do a full kernel build instead when the module approach fails to load.

[Moriah]

Looking more closely at the output from the firewall script, I see DNAT, SNAT, and MASQUERADE are all complained about, so maybe I do need masquerade. I am assuming DNAT and SNAT are destination and source NAT, if my memory serves me. Do you have additional suggestions to handle these?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

I did not, but I checked the kernel source for you. Those appear to be implemented in net/netfilter/xt_nat.c. net/netfilter/Makefile will build net/netfilter/xt_nat.c if CONFIG_NETFILTER_XT_NAT is enabled. I think enabling that will provide both SNAT and DNAT for you.

[Moriah]

So I built the kernel. Using make menuconfig it was easy, and looks like everthing I needed was included.

Now I need to get the fancy pantsie new grub to boot it!

I have always used the classic grub. It was very easy to setup the boot menu and choose which kernel got auto-booted after a timeout.

This new grub looks like it was designed by a committee at the united nations! GOOD GREIF!

Why is this so complicated? When I installed the initial kernel, it "just worked" with the new grub, but after make install, the new kernel does not even show up on the boot menu, and it still boots the old kernel.

How do I tell grub which kernel to boot. Since this is my gateway firewall, I need it to reboot itself on pwer-up after a power failure, so the new kernel needs to be the default kernel.

Oh yes, I guess I should mention that I do use a custom initrd also, since / is on an lvm volume.

BTW Thanks for all the help so far. Its been a long time since I needed to set up a new machine.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

I cannot help you with grub2, as I switched to syslinux when grub1 became deprecated. I suggest opening a new thread about your bootloader issue, since people who know grub2 may not come into a thread about firewall issues.

[sMueggli]

[Moriah]

First, thank you HU for the help on the kernel and firewall issues. as you can see, I got a response to the grub issue here anyway, so I will persue that and see if I can get this thing to boot the righjt kernel.

sMueggli:
I just tried this, with the following negative result:

[sMueggli]

I see the "failed to get canonical path" error normally, when people are executing the command from a live cd and not from inside the chroot. But this should not be your problem.

I am using also LVM and do not have problems with grub. I assume you installed grub with the "device-mapper" USE flag?

In the discussion https://unix.stackexchange.com/questions/96977/grub-probe-error-failed-to-get-canonical-path-of-cow there is one comment that indicates some problem with "realpath".

You can check with

[Moriah]

Apparently the 'device-mapper' USE flag is not in /etc/portage/make.conf and there is no /etc/portage/package.use entry for sys-boot/grub either. So where do I put the USE flag? In make.conf or package.use/grub ?

[Moriah]

SUCCESS !!!

I added device-mapper to /etc/portage/package.use/grub.use and re-emerged grub.

It still complained because realpath still did not work.

Then I manually executed vgscan --mknodes, after which realpath *DID* work, so that was the problem.

I then did grub-mkconfig -o /boot/grub/grub.cfg and rebooted. I had to figure out how to boot the correct kernel, but when I did, and did uname -s I was able to verify that the kernel I had just built was the one that booted.

Then I started iptables and ran my firewall script, after which everything worked. My network is back online, and I assume my mail server is now working again.

THANKS YOU SO MUCH sMueggli !!!

Now I just need to figure out how to make the correct kernel boot as the default...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Moriah]

Got the new kernel to boot as the default.

Now just a few details to attend to, like getting the firewall script to run automatically on boot.

Apparently the old rc.local directory is now called the /etc/local.d direcory, so I will have to put my custom startup script there.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Moriah]

OK, obviously I don't understand the "new way"...

How do I get the scripts in /etc/local.d to run at boot?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

The preferred way to manage firewall rules is to let the iptables init.d service load them. You only need a custom script if you have special rules that cannot be saved verbatim.

According to /etc/local.d/README:

[Moriah]

Yes, I read that...

*BUT*... I forgot to name my file with a .start extension. OOPS!

Now it works.

Thanks!
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.