| View previous topic :: View next topic |
| Author |
Message |
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
 Posted: Thu Apr 07, 2005 11:24 am Post subject: Problems with Iptables howto |
 |
|
I'm trying to get NAT working on my server... and well it's not.
I've followed this HOWTO to no avail:
https://forums.gentoo.org/viewtopic-t-159133-postdays-0-postorder-asc-highlight-iptables+howto-start-0.html
iptables is compiled into the kernel, but when I try to run the script included in the HOWTO:
| Code: |
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
through the command /etc/init.d/iptables start
I get a series of errors, found here: http://www.odioworks.com/iptables.txt
Any ideas? |
|
| Back to top |
|
 |
mens
Guru
Joined: 27 Aug 2003
Posts: 392
Location: Belgium
|
| Posted: Thu Apr 07, 2005 11:31 am Post subject: |
|
|
| remove the space in front of #!/bin/bash on line 1 |
|
| Back to top |
|
|
peka
l33t
Joined: 16 Mar 2005
Posts: 773
Location: Płońsk, Poland
|
| Posted: Thu Apr 07, 2005 11:34 am Post subject: |
|
|
just guessing..
didn't try this howto yet...
but...
try:
to check if you have '/sbin/iptables' there
and see if you have '/sbin/iptables' at all
_________________
p3k4
Seize the time, Meribor. Live now; make now always the most precious time. Now will never come again...
Jean-Luc Picard, Star Trek TNG - The Inner Light |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Thu Apr 07, 2005 12:46 pm Post subject: |
|
|
Do as mens suggests (remove the space), if that's not it, post the results of:
| Code: |
whereis iptables
emerge -s iptables
|
To find the iptables bin & check that iptables is emerged.
If this still not the problem, then perhaps your iptables is compiled as kernel module and not loaded, in which case you might want to add something like:
| Code: | for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do
echo "Loading ${MODULE}"
modprobe $MODULE
done
# (you'll need to check the above, only have access to an AIX box right now & there's no gnu egrep or find
# so I can't test the "-print %f" and 'egrep -o .... '
|
before your first use of the $IPTABLES var in your script. (note, if it works, it'll load all netfilter modules your kernel has built .. )
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 5:02 pm Post subject: |
|
|
Yah iptables is built into the kernel - not loaded. I didn't realize this would be an issue.
I will try adding that script & get back to you.
FYI:
Once I removed the space I get this error:
http://odioworks.com/iptables.txt
And here is the output from whereis iptables:
http://odioworks.com/iptables2.txt |
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 5:07 pm Post subject: |
|
|
would it be better for me to just recompile my kernel with this as modules & not built into it?
Also another tidbit of info that I forgot to include:
modprobe ip_tables returns error "FATAL: Module ip_tables not found" |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Thu Apr 07, 2005 5:42 pm Post subject: |
|
|
| odioworks_com wrote: | would it be better for me to just recompile my kernel with this as modules & not built into it?
Also another tidbit of info that I forgot to include:
modprobe ip_tables returns error "FATAL: Module ip_tables not found" |
When you say built in; do you mean as a module or built into the kernel itself?
You can check with:
| Code: | | gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)" |
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 6:07 pm Post subject: |
|
|
as far as I know it's built in directly to the kernel.
Here's the output from the command
gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)"
http://www.odioworks.com/gzcat.txt |
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 6:13 pm Post subject: |
|
|
hm..
I tried adding this code before $IPTABLES
| Code: | for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do
echo "Loading ${MODULE}"
modprobe $MODULE
done |
but I still get this error:
http://www.odioworks.com/iptables3.txt |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Thu Apr 07, 2005 6:32 pm Post subject: |
|
|
Did you remove the space before "#!/bin/bash" ?
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 7:08 pm Post subject: |
|
|
I did remove the space.
Here is my exact IP tables script. Notice I commented out the code for the second internal interface (I only have one).
http://www.odioworks.com/iptables_code.txt
-s |
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Thu Apr 07, 2005 7:56 pm Post subject: |
|
|
I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine. Would this be the problem?
-s |
|
| Back to top |
|
|
throck
n00b
Joined: 10 Apr 2004
Posts: 39
|
| Posted: Thu Apr 07, 2005 8:37 pm Post subject: |
|
|
| odioworks_com wrote: | | I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine. |
Nope. The ip_forward file is not a file on a real filesystem (as far as I understand it anyway). It has to be created on each boot, which is why you have the line that says "echo 1 > /proc/sys/net/ipv4/ip_forward". That essentially creates a text file containing the number "1" in it, which tells the kernel (or iptables) that forwarding should be enabled.
The problem seems to be that the "#!/bin/bash" line, which tells the shell which program to use to execute this script, is the line giving the error. For some reason it can't find /bin/bash. Could be a permissions issue, although it's doubtful since you are probably using the bash shell currrently. Unfortunately I can't help much more than that at this point.
_________________
Adopt an Unanswered Post Initiative |
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Fri Apr 08, 2005 7:56 am Post subject: |
|
|
Lol! most likely, cat /bin/bash & see if its still your firewall script .... if it is, copy it somewhere, rm -f /bin/bash and re-emerge bash. Use the live cd if you need to.
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
odioworks_com
Tux's lil' helper
Joined: 23 Jan 2005
Posts: 82
Location: Charlottesville, Virginia
|
| Posted: Fri Apr 08, 2005 3:56 pm Post subject: |
|
|
nah when I cat it - it's obviously /bin/bash.
I had re-emerged bash before starting this post - which I think fixed the problem.
So I'm still stuck here:
/etc/init.d/iptables
: No such file or directory
Maybe there's an easier way to set up iptables? I heard about firehol but seemed more complicated then a straight script when I tried to use it. Speaking of which - could the fact that I previously merged firehol and then unmerged it be a problem?
-s |
|
| Back to top |
|
|
|
Networking & Security
