View previous topic :: View next topic |
Author |
Message |
Ezechiel n00b
Joined: 23 Sep 2002 Posts: 26 Location: Austria
|
Posted: Mon Sep 23, 2002 12:51 pm Post subject: iptables don't work well |
|
|
I have installed and configured everything right and everything work properly but after a restart of my Computer I must type these two lines in my console to connect my second Computer to the Internet ->
Code: | iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx
echo 1 > /proc/sys/net/ipv4/ip_forward |
But I don't want to type these two lines after every Restart how can I change this to an automatic configuration?
thx for help |
|
Back to top |
|
|
de4d Apprentice
Joined: 12 Sep 2002 Posts: 181 Location: fr. i. br. (ger)
|
Posted: Mon Sep 23, 2002 1:28 pm Post subject: |
|
|
write those lines to an ascii file, make it executable and link from /etc/rcX.d/SYnat to it (symbolic)
where X is your runlevel and Y is a 2 digit integer value
have phun _________________ void main(){fork();main();} |
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Mon Sep 23, 2002 1:37 pm Post subject: |
|
|
de4d wrote: | write those lines to an ascii file, make it executable and link from /etc/rcX.d/SYnat to it (symbolic)
where X is your runlevel and Y is a 2 digit integer value |
Uhhhh....this is Gentoo, right? Gentoo doesn't use rcX.d runlevels. You might want to read the Gentoo Linux Init System doc.
To answer the original question, there are a number of ways to do that. The easiest might be to simply place those two lines in /etc/conf.d/local.start. They will then be run each time the computer starts.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
Naan Yaar Bodhisattva
Joined: 27 Jun 2002 Posts: 1549
|
Posted: Mon Sep 23, 2002 1:46 pm Post subject: |
|
|
BTW, the thread title is quite misleading. I would suggest changing it to something that matches its primary focus. |
|
Back to top |
|
|
de4d Apprentice
Joined: 12 Sep 2002 Posts: 181 Location: fr. i. br. (ger)
|
Posted: Mon Sep 23, 2002 1:55 pm Post subject: |
|
|
oops
in anyway i considered my system as 'running (too) well', and had no need to read *all* the docs.
good job ;) _________________ void main(){fork();main();} |
|
Back to top |
|
|
Ezechiel n00b
Joined: 23 Sep 2002 Posts: 26 Location: Austria
|
Posted: Mon Sep 23, 2002 3:01 pm Post subject: |
|
|
thx for help I tried it with /etc/conf.d/local.start but it don't run.
I wrote the two lines in the same way I have posted above in the local.start but on the startup of the system come a Error Message about the iptables Command. |
|
Back to top |
|
|
Naan Yaar Bodhisattva
Joined: 27 Jun 2002 Posts: 1549
|
Posted: Mon Sep 23, 2002 3:17 pm Post subject: |
|
|
Try giving the full path to iptables in your local script. Also, it would be helpful to post the actual error message.
Ezechiel wrote: | ...I wrote the two lines in the same way I have posted above in the local.start but on the startup of the system come a Error Message about the iptables Command. |
|
|
Back to top |
|
|
Ezechiel n00b
Joined: 23 Sep 2002 Posts: 26 Location: Austria
|
Posted: Mon Sep 23, 2002 4:07 pm Post subject: |
|
|
I don't have written a Script. I just added the Commands in the local.start |
|
Back to top |
|
|
Naan Yaar Bodhisattva
Joined: 27 Jun 2002 Posts: 1549
|
Posted: Mon Sep 23, 2002 4:10 pm Post subject: |
|
|
By script, I mean you local.start init script.
Ezechiel wrote: | I don't have written a Script. I just added the Commands in the local.start |
|
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Mon Sep 23, 2002 4:14 pm Post subject: |
|
|
What Naan Yaar is saying is that, instead of using this:
Code: | iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx |
use this:
Quote: | /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx |
If that still doesn't work, please post the exact error message that you're receiving.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
Ezechiel n00b
Joined: 23 Sep 2002 Posts: 26 Location: Austria
|
Posted: Tue Sep 24, 2002 12:55 pm Post subject: |
|
|
I tried it also with /sbin... but I get the same message:
Code: | "iptables v1.2.7a: Unkown arg '--to-source'
Try 'iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: xxx.xx.xxx.xxx: command not found |
|
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Tue Sep 24, 2002 1:02 pm Post subject: |
|
|
Ezechiel wrote: | Code: | "iptables v1.2.7a: Unkown arg '--to-source'
Try 'iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: xxx.xx.xxx.xxx: command not found |
|
Do you have NAT enabled in your kernel? What is the output of:
Code: | cat /usr/src/linux/.config |grep NAT |
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
Naan Yaar Bodhisattva
Joined: 27 Jun 2002 Posts: 1549
|
Posted: Tue Sep 24, 2002 1:08 pm Post subject: |
|
|
I think your iptables command line is split across two lines (going by the xxx.xx... in your "command not found message). Edit your file using "nano -w" and make sure that you don't have a line break in the iptables command (and other) lines.
Ezechiel wrote: | I tried it also with /sbin... but I get the same message:
Code: | "iptables v1.2.7a: Unkown arg '--to-source'
Try 'iptables -h' or 'iptables --help' for more information.
/sbin/runscript.sh: xxx.xx.xxx.xxx: command not found |
|
|
|
Back to top |
|
|
HogRider Apprentice
Joined: 29 May 2002 Posts: 160
|
Posted: Tue Sep 24, 2002 1:38 pm Post subject: |
|
|
Ezechiel,
Let's start at the beginning,
First, does this command function properly from the CLI? With an explicit path? (/sbin/iptables)
If so, are you certain you've duplicated it exactly in your /etc/conf.d/local.start? (the easiest way is [left mouse button] select & [center mouse button] paste)
Next, check you are using the same executatable (As root, "which iptables")
If all of these factors are true, post your local.start.
BTW, what are you trying to accomplish with iptables? You mention SNAT without any other rules. I generally call a dedicated script to institute a full lockdown, followed by selective reopening of ports & services, which gives you optimal protection. _________________ Mike
"Computers are like air conditioners, they stop working properly if you open Windows"
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' |
|
Back to top |
|
|
Ezechiel n00b
Joined: 23 Sep 2002 Posts: 26 Location: Austria
|
Posted: Tue Sep 24, 2002 3:27 pm Post subject: |
|
|
The Problem was the Line Split
The IP Adress was in a different Line. Now everything works fine
thx for help @ll |
|
Back to top |
|
|
Eagle-Eye n00b
Joined: 25 Sep 2002 Posts: 17
|
Posted: Wed Sep 25, 2002 8:22 pm Post subject: |
|
|
Another solution is to add iptables to your default runlevel and enable ip-forwarding in /etc/conf.d/iptables. Then you can save all currently set netfilter-rules in a configuration file using iptables-save. These rules will then be loaded when the system boots.
Code: | rc-update add iptables default
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables-save > /var/lib/iptables/rules-save |
|
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Wed Sep 25, 2002 8:29 pm Post subject: |
|
|
Eagle-Eye wrote: | Another solution is to add iptables to your default runlevel and enable ip-forwarding in /etc/conf.d/iptables. Then you can save all currently set netfilter-rules in a configuration file using iptables-save. These rules will then be loaded when the system boots. |
This is a solution, but IMO, it's a bad one. A firewall script should be fairly static, and always start from a known-good configuration. When you do things the way that iptables-save does, you never really know what ruleset you're running unless you examine it each and every time you boot the computer.
So, I certainly recommend against the "Gentoo Way" of using iptables-save to dynamically save the current ruleset on each reboot. That's just my $.02.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
static Tux's lil' helper
Joined: 18 Apr 2002 Posts: 141 Location: Canada
|
Posted: Thu Sep 26, 2002 8:59 pm Post subject: |
|
|
what do you mean? Doesn't Code: | iptables-save > /var/lib/iptables/rules-save | save to rules-save, a Quote: | fairly static known-good configuration | ? How else do you keep your rulesets for a reboot? You surely don't put each rule into local.start... _________________ Gentoo and Doom III. 'Nuff Said.
_______________________________________ |
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Thu Sep 26, 2002 9:06 pm Post subject: |
|
|
static wrote: | what do you mean? Doesn't Code: | iptables-save > /var/lib/iptables/rules-save | save to rules-save, a Quote: | fairly static known-good configuration | ? |
Running that command does, but the Gentoo way of controlling iptables also automatically overwrites that document each time you reboot the machine. Thus, if you (or someone else) has put in a special iptables rule for testing or whatever reason and forget about it, that rule will forever be implemented in your ruleset.
Another thing I don't like about iptables-save is the format in which it saves the ruleset -- not very easy to follow, though perhaps that's just because I'm used to a different format.
static wrote: | How else do you keep your rulesets for a reboot? You surely don't put each rule into local.start... |
Nope -- you place them all in a script and run that script at start. That's similar to what Gentoo does, with two key differences:
- The script never gets modified unless you modify it.
- You can write the script in whatever format/flow that makes the most sense to you.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
|