* Invalid friggen argument
@ 2003-10-12 7:41 Herman
2003-10-12 11:08 ` Willy TARREAU
` (2 more replies)
0 siblings, 3 replies; 29+ messages in thread
From: Herman @ 2003-10-12 7:41 UTC (permalink / raw)
To: netfilter
Hi everybody,
I am trying to get port forwarding to work. I had it working some time ago
gawdknows what changed...
Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
-j DNAT --to 192.168.10.245
iptables: Invalid argument
I can cut and paste a line from a howto and I still get 'invalid argument' -
grrr...
Any ideas?
Cheers
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Invalid friggen argument
2003-10-12 7:41 Invalid friggen argument Herman
@ 2003-10-12 11:08 ` Willy TARREAU
2003-10-12 15:46 ` Herman
2003-10-12 17:44 ` Mark E. Donaldson
2003-10-14 6:04 ` Invalid friggen argument Joel Newkirk
2 siblings, 1 reply; 29+ messages in thread
From: Willy TARREAU @ 2003-10-12 11:08 UTC (permalink / raw)
To: Herman; +Cc: netfilter
Hi !
On Sun, Oct 12, 2003 at 01:41:15AM -0600, Herman wrote:
> Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
>
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
> -j DNAT --to 192.168.10.245
> iptables: Invalid argument
your kernel might be too old and incompatible with these more recent versions.
I got the same when upgrading from iptables-1.2.4 to 1.2.5, IIRC.
Willy
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Invalid friggen argument
2003-10-12 11:08 ` Willy TARREAU
@ 2003-10-12 15:46 ` Herman
0 siblings, 0 replies; 29+ messages in thread
From: Herman @ 2003-10-12 15:46 UTC (permalink / raw)
To: netfilter
On Sunday 12 October 2003 5:08 am, Willy TARREAU wrote:
Hi !
On Sun, Oct 12, 2003 at 01:41:15AM -0600, Herman wrote:
> Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
>
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
> -j DNAT --to 192.168.10.245
> iptables: Invalid argument
your kernel might be too old and incompatible with these more recent
versions. I got the same when upgrading from iptables-1.2.4 to 1.2.5, IIRC.
Willy
Hmm, this is Mandrake 9.1 distro and it did work in the past, but kind of
unreliably. So I should try an older version of netfilter - any
recommendations for a version to try?
The funny thing is that the Masquerade line in my firewall setup gives the
same Invalid Argument error but it actually works. It is only Port
Forwarding that doesn't work.
Cheers,
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: Invalid friggen argument
2003-10-12 7:41 Invalid friggen argument Herman
2003-10-12 11:08 ` Willy TARREAU
@ 2003-10-12 17:44 ` Mark E. Donaldson
2003-10-12 18:18 ` Herman
2003-10-14 6:04 ` Invalid friggen argument Joel Newkirk
2 siblings, 1 reply; 29+ messages in thread
From: Mark E. Donaldson @ 2003-10-12 17:44 UTC (permalink / raw)
To: Herman, netfilter
I don't think you have a versioning problem. Some of the more recent
releases of netfilter are more sensitive about arguments and argument
ordering I have found. Are you able to slip in a destination address into
that rule:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d xxx.xxx.xxx.xxx --dport 6390
\
-j DNAT --to 192.168.10.245
It may be looking for a dest address.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Herman
Sent: Sunday, October 12, 2003 12:41 AM
To: netfilter@lists.netfilter.org
Subject: Invalid friggen argument
Hi everybody,
I am trying to get port forwarding to work. I had it working some time ago
gawdknows what changed...
Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
-j DNAT --to 192.168.10.245
iptables: Invalid argument
I can cut and paste a line from a howto and I still get 'invalid argument' -
grrr...
Any ideas?
Cheers
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Invalid friggen argument
2003-10-12 17:44 ` Mark E. Donaldson
@ 2003-10-12 18:18 ` Herman
2003-10-12 20:11 ` Port forwarding doesn't work Herman
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-12 18:18 UTC (permalink / raw)
To: markee, netfilter
On Sunday 12 October 2003 11:44 am, Mark E. Donaldson wrote:
I don't think you have a versioning problem. Some of the more recent
releases of netfilter are more sensitive about arguments and argument
ordering I have found. Are you able to slip in a destination address into
that rule:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d xxx.xxx.xxx.xxx --dport
6390 \
-j DNAT --to 192.168.10.245
It may be looking for a dest address.
I have tried that before and here goes:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.10.100 --dport 6390 -j
DNAT --to 192.168.10.245
iptables: Invalid argument
No luck.
Cheers,
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
* Port forwarding doesn't work.
2003-10-12 18:18 ` Herman
@ 2003-10-12 20:11 ` Herman
2003-10-12 21:41 ` Gerd Zemella
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-12 20:11 UTC (permalink / raw)
To: netfilter
Has anybody got me a *working* port forwarding rule please???
This thing is driving me nuts, since the rules straight from the manuals don't
work with 1.2.7a or 1.2.9rc1.
Cheers,
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 20:11 ` Port forwarding doesn't work Herman
@ 2003-10-12 21:41 ` Gerd Zemella
2003-10-12 22:04 ` Herman
0 siblings, 1 reply; 29+ messages in thread
From: Gerd Zemella @ 2003-10-12 21:41 UTC (permalink / raw)
To: Herman; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 856 bytes --]
Hi Herman,
did you try something like
iptables -t nat -I PREROUTING -d x.x.x.x -j DNAT --to destination
y.y.y.y
where you can add also protocol,port.....
Important is also that the destination machine routes back the packets
via the nat machine or you must specify an additional POSTROUTING roule
so that it looks for the destination machine that the pakets are
originated from the nat machine.
Perhaps an example to the PREROUTING roule.
iptables -t nat -I POSTROUTING -d y.y.y.y -j SNAT --to-source z.z.z.z
then z.z.z.z should be bind to the natting machine.
works for iptables 1.2.7a
greetings
Gerd
Am Son, den 12.10.2003 schrieb Herman um 22:11:
> Has anybody got me a *working* port forwarding rule please???
>
> This thing is driving me nuts, since the rules straight from the manuals don't
> work with 1.2.7a or 1.2.9rc1.
>
> Cheers,
[-- Attachment #2: Type: text/html, Size: 1232 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 21:41 ` Gerd Zemella
@ 2003-10-12 22:04 ` Herman
2003-10-12 23:00 ` Herman
2003-10-13 7:13 ` Port forwarding doesn't work Gerd Zemella
0 siblings, 2 replies; 29+ messages in thread
From: Herman @ 2003-10-12 22:04 UTC (permalink / raw)
To: Gerd Zemella; +Cc: netfilter
Well, here goes:
iptables -t nat -I PREROUTING -d 192.168.10.100 -j DNAT --to 192.168.10.245
iptables: Target problem
At least, now the error message changed and the only difference from before is
the -I instead of -A.
So, with -A, I get Invalid Argument, and with -I, I get Target Problem. Both
cases don't work and the rule doesn't get added.
Can anybody give me a clue?
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 22:04 ` Herman
@ 2003-10-12 23:00 ` Herman
2003-10-13 0:10 ` Philip Craig
2003-10-13 0:44 ` Chris Brenton
2003-10-13 7:13 ` Port forwarding doesn't work Gerd Zemella
1 sibling, 2 replies; 29+ messages in thread
From: Herman @ 2003-10-12 23:00 UTC (permalink / raw)
To: netfilter
Hi guys,
Well, I now downgraded to netfilter version 1.2.5-1 and the complaints went
away, though I still haven't gotten forwarding to work and this is the
version where I last had it working - sigh...
Here is my problem:
I need to forward a port from outside the firewall, to everybody on the
inside. All examples I have seen forwards to a specific IP on the inside,
which doesn't go well with DHCP. The man page says that specifying a range
of IPs will trigger a round robin effect, which I don't think I want to
happen. So, how now brown cow?
I'm testing this with the Nectarine Demoscene radio station and xmms, since
that is way easier than messing with the government services that I actually
need this for. Nectarine needs port 8002 to be forwarded. On the server, it
works and the address to put into xmms is http://130.231.60.129:8002/
On my laptop, I can't get it to work, though I had it working a couple of
months ago, with these firewall rules:
echo " DNAT Forward port 8002 for Nectarine Demoscene Radio"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8002 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8002 -j DNAT --to
192.168.10.245:8002
If I display the rules, I can't see any forwarding rules in the list, which
tells me that the forwarding rules that I try to implement are simply ignored
by iptables:
iptables -v -L
Chain INPUT (policy ACCEPT 55251 packets, 13M bytes)
pkts bytes target prot opt in out source
destination
2 96 DROP all -- any any d142-59-155-57.abhsia.telus.net
anywhere
2 96 DROP all -- any any
s142-59-150-199.ab.hsia.telus.net anywhere
3 188 DROP all -- any any
d142-59-172-230.abhsia.telus.net anywhere
2 96 DROP all -- any any d142-59-59-12.abhsia.telus.net
anywhere
2 96 DROP all -- any any
d142-59-162-102.abhsia.telus.net anywhere
2 96 DROP all -- any any
d142-59-176-107.abhsia.telus.net anywhere
1 64 DROP all -- any any d142-59-78-76.abhsia.telus.net
anywhere
2 96 DROP all -- any any d142-59-80-67.abhsia.telus.net
anywhere
1 48 DROP all -- any any
d142-59-152-127.abhsia.telus.net anywhere
2 96 DROP all -- any any 142.59.143.156 anywhere
2 128 DROP all -- any any 142.59.137.22 anywhere
0 0 DROP all -- any any d142-59-63-31.abhsia.telus.net
anywhere
2 96 DROP all -- any any 142.59.141.9 anywhere
2 96 DROP all -- any any 142.59.143.244 anywhere
0 0 DROP all -- any any d142-59-10-57.abhsia.telus.net
anywhere
2 96 DROP all -- any any
d142-59-216-157.abhsia.telus.net anywhere
2 96 DROP all -- any any alik57zgy55og.ab.hsia.telus.net
anywhere
2 96 DROP all -- any any d142-59-95-82.abhsia.telus.net
anywhere
2 96 DROP all -- any any
d142-59-225-188.abhsia.telus.net anywhere
2 96 DROP all -- any any trialserver.americoac.com
anywhere
2 96 DROP all -- any any 142.59.137.249 anywhere
2 96 DROP all -- any any d142-59-144-7.abhsia.telus.net
anywhere
1 48 DROP all -- any any d142-59-81-170.abhsia.telus.net
anywhere
2 96 DROP all -- any any a6jp39qoy31v4.ab.hsia.telus.net
anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 56800 packets, 63M bytes)
pkts bytes target prot opt in out source
destination
--
How can the FORWARD chain be empty, since MASQUERADE is working and my laptop
can surf the web?
Why are my new forwarding rules ignored?
How can I debug this stuff and see where the packets are going/not going?
Can anybody shed light on this?
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 23:00 ` Herman
@ 2003-10-13 0:10 ` Philip Craig
2003-10-13 0:20 ` Herman
2003-10-13 0:44 ` Chris Brenton
1 sibling, 1 reply; 29+ messages in thread
From: Philip Craig @ 2003-10-13 0:10 UTC (permalink / raw)
To: Herman; +Cc: netfilter
Herman wrote:
> If I display the rules, I can't see any forwarding rules in the list, which
> tells me that the forwarding rules that I try to implement are simply ignored
> by iptables:
>
> iptables -v -L
iptables defaults to listing the filter table.
If you want to list nat rules, you must specify the nat table:
iptables -t nat -v -L
--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 0:10 ` Philip Craig
@ 2003-10-13 0:20 ` Herman
2003-10-13 0:40 ` Herman
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-13 0:20 UTC (permalink / raw)
To: netfilter
On Sunday 12 October 2003 6:10 pm, Philip Craig wrote:
Herman wrote:
> If I display the rules, I can't see any forwarding rules in the list,
> which tells me that the forwarding rules that I try to implement are
> simply ignored by iptables:
>
> iptables -v -L
iptables defaults to listing the filter table.
If you want to list nat rules, you must specify the nat table:
iptables -t nat -v -L
OK, here goes:
iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
Blech...
Mark Donaldson suggested that a module may be missing
I'll try to pursue that thought.
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 0:20 ` Herman
@ 2003-10-13 0:40 ` Herman
2003-10-13 1:17 ` Arnt Karlsen
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-13 0:40 UTC (permalink / raw)
To: netfilter
The real problem that I'm trying to solve is this:
Several hosts need to acces a gov service that uses Java and a certain port.
I do not know which machine/machines will run and I don't know what their IP
is going to be, due to DHCP. I could limit it to one machine with a fixed IP
just to get started though.
To test this, I'm experimenting with Nectarine radio, since that is easier
than farting around with a government server. If I can't get Nectarine to
work, then I have no hope of getting the gov thing to work.
On the FORWARD chain, try iptables -v -L FORWARD -t filter. That will
isolate just your FORWARD rules. I gather you are not showing ANY active
forward rules? Not even your default policy?
iptables -L FORWARD -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nothing...
iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinat
ion
nothing much either...
I suppose some modules are missing, but what?
What could be needed to make port forwarding work, that is not already loaded
to make masquerade work? At least something is working but gawddammit, this
doesn't make sense to me.
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 23:00 ` Herman
2003-10-13 0:10 ` Philip Craig
@ 2003-10-13 0:44 ` Chris Brenton
2003-10-13 1:17 ` Herman
1 sibling, 1 reply; 29+ messages in thread
From: Chris Brenton @ 2003-10-13 0:44 UTC (permalink / raw)
To: Herman; +Cc: netfilter
On Sun, 2003-10-12 at 19:00, Herman wrote:
>
> Here is my problem:
> I need to forward a port from outside the firewall, to everybody on the
> inside.
If it was UDP traffic, you might be able to get away with forwarding to
your internal broadcast address. Since its TCP however, that's not RFC
and I doubt anyone will respond unless they have a broken stack.
> All examples I have seen forwards to a specific IP on the inside,
> which doesn't go well with DHCP.
Maybe you can do something with DDNS or specify a MAC-->IP mapping for
the host(s) that needs need this service.
> The man page says that specifying a range
> of IPs will trigger a round robin effect, which I don't think I want to
> happen. So, how now brown cow?
Agreed. That will balance to a number of different IPs, not what you are
looking for. Then again your using TCP so you can't do multiple nodes at
the same time anyway.
> If I display the rules, I can't see any forwarding rules in the list, which
> tells me that the forwarding rules that I try to implement are simply ignored
> by iptables:
Try it on the command line and see what errors come back.
> iptables -v -L
> Chain INPUT (policy ACCEPT 55251 packets, 13M bytes)
<snip>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Hummm. You do realize you are letting through *everything* you are not
specifically dropping? Looks like you've had quite a bit of traffic
sneak by. :(
> How can the FORWARD chain be empty, since MASQUERADE is working and my laptop
> can surf the web?
Because you are letting everything not specifically denied blow through.
> Why are my new forwarding rules ignored?
Again, try stuff like this from the command line. If iptables is not
happy, it will let you know about it.
> How can I debug this stuff and see where the packets are going/not going?
> Can anybody shed light on this?
The counters are a good indication of what is going on. You can also run
tcpdump to troubleshoot what goes by.
HTH,
C
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 0:44 ` Chris Brenton
@ 2003-10-13 1:17 ` Herman
2003-10-13 1:30 ` Herman
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-13 1:17 UTC (permalink / raw)
To: Chris Brenton, netfilter
On Sunday 12 October 2003 6:44 pm, Chris Brenton wrote:
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Hummm. You do realize you are letting through *everything* you are not
specifically dropping? Looks like you've had quite a bit of traffic
sneak by. :(
Yep, I opened it up in an effort to figure out what is going on - or rather
not going on, the really bad stuff is blocked in the INPUT chain and the
INPUT chain is letting the packets through, since I can play xmms on the
firewall itself, so the packets get in, but not out the other side.
> How can the FORWARD chain be empty, since MASQUERADE is working and my
> laptop can surf the web?
Because you are letting everything not specifically denied blow through.
OK - it seems that port forwarding uses the nat table - eventually I'll
understand this I hope...
I I understand it, masquerading also uses the nat table and that is working,
so why doesn't port forwarding work for port 8002?
Here is the rule:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8002 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8002 -j DNAT --to
192.168.10.245:8002
on the command line it looks like this:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 8002 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8002 -j DNAT --to
192.168.10.245:8002
and it does diddly squat...
> Why are my new forwarding rules ignored?
Again, try stuff like this from the command line. If iptables is not
happy, it will let you know about it.
Tried it with various versions of iptables. 1.2.7a and1.2.9rc1 give either
Invalid Argument or Target Problem as explained in previous posts. Iptables
1.2.5 doesn't give any error messages - I downgraded, since upgrading didn't
make any diff, so now it doesn't tell me anything although the problem is
still the same.
It is as if the rules are simply ignored even when I copy and paste examples
from the howtos or other posts.
> How can I debug this stuff and see where the packets are going/not
> going? Can anybody shed light on this?
The counters are a good indication of what is going on. You can also run
tcpdump to troubleshoot what goes by.
Trying that now - very trying...
I guess that eventually, I'll understand iptables, but it is going to take a
while to get there.
Oh, well, what the hell - Catch 22.
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 0:40 ` Herman
@ 2003-10-13 1:17 ` Arnt Karlsen
2003-10-13 13:06 ` Robert P. J. Day
2003-10-13 18:05 ` Herman
0 siblings, 2 replies; 29+ messages in thread
From: Arnt Karlsen @ 2003-10-13 1:17 UTC (permalink / raw)
To: netfilter
On Sun, 12 Oct 2003 18:40:27 -0600,
Herman <Herman@AerospaceSoftware.com> wrote in message
<200310121840.27031.Herman@AerospaceSoftware.com>:
> The real problem that I'm trying to solve is this:
> Several hosts need to acces a gov service that uses Java and a certain
> port.
..if these hosts are initiating this connection from your end,
" -j ESTABLISHED,RELATED" should do it, instead of you
running around chasing your tail.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 1:17 ` Herman
@ 2003-10-13 1:30 ` Herman
2003-10-13 1:52 ` Port forwarding now *almost* works Herman
0 siblings, 1 reply; 29+ messages in thread
From: Herman @ 2003-10-13 1:30 UTC (permalink / raw)
To: netfilter
Hmm, as far as I can see iptable_nat handles nat, and it is loaded:
lsmod
Module Size Used by Not tainted
iptable_nat 16312 1 (autoclean)
ip_conntrack 18624 1 (autoclean) [iptable_nat]
appletalk 21636 1 (autoclean)
ipx 17188 1 (autoclean)
iptable_filter 1644 1 (autoclean)
ip_tables 11736 4 [iptable_nat iptable_filter]
lp 6752 0
parport_pc 21736 1
parport 23840 1 [lp parport_pc]
i810_audio 23720 1
soundcore 3684 0 [i810_audio]
ac97_codec 10024 0 [i810_audio]
nfsd 66832 8 (autoclean)
lockd 46896 1 (autoclean) [nfsd]
sunrpc 63356 1 (autoclean) [nfsd lockd]
ppp_async 7456 0 (unused)
ppp_generic 20092 0 [ppp_async]
slhc 5072 0 [ppp_generic]
af_packet 13000 3 (autoclean)
ip_vs 74424 0 (autoclean)
sr_mod 15096 0 (autoclean)
floppy 49244 0
3c59x 27248 1 (autoclean)
tulip 41088 1 (autoclean)
supermount 14116 2 (autoclean)
ide-cd 30560 0
cdrom 27008 0 [sr_mod ide-cd]
ide-scsi 9552 0
scsi_mod 91060 2 [sr_mod ide-scsi]
printer 6944 0 (unused)
usb-uhci 21804 0 (unused)
usbcore 58368 1 [printer usb-uhci]
rtc 6556 0 (autoclean)
ext3 59916 4
jbd 38972 4 [ext3]
So, why O why, doesn't nat work?
(My Bonnie lies over the ocean...)
Am I missing something in the kernel?
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding now *almost* works...
2003-10-13 1:30 ` Herman
@ 2003-10-13 1:52 ` Herman
0 siblings, 0 replies; 29+ messages in thread
From: Herman @ 2003-10-13 1:52 UTC (permalink / raw)
To: netfilter
Aaaaaaaaahhhhh...
It appears that nat is *not* handled by iptable_nat as one would expect, or at
least not *only* by that one. The missing module is iptable_mangle and the
nice Redhat firewall script that I have been using, doesn't load that one,
saying that it is an unneeded kernel module - sigh.
Once I loaded that with:
iptables -F -t mangle
and added my rules again, they now show up in the nat list, although it still
doesn't friggen work. I think it is time to reboot the whole machine and
start over, but I thought I'll send this message first.
Wheee, at least now I'm getting somewhere and in another day or so I can stop
banging my head on the table - maybe.
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-12 22:04 ` Herman
2003-10-12 23:00 ` Herman
@ 2003-10-13 7:13 ` Gerd Zemella
2003-10-13 14:32 ` Adam D. Barratt
1 sibling, 1 reply; 29+ messages in thread
From: Gerd Zemella @ 2003-10-13 7:13 UTC (permalink / raw)
To: Herman; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 537 bytes --]
Hi Herman,
Am Mon, den 13.10.2003 schrieb Herman um 00:04:
> Well, here goes:
> iptables -t nat -I PREROUTING -d 192.168.10.100 -j DNAT --to 192.168.10.245
did you wrote this --to? you must write --to-destination!
> iptables: Target problem
>
> At least, now the error message changed and the only difference from before is
> the -I instead of -A.
>
> So, with -A, I get Invalid Argument, and with -I, I get Target Problem. Both
> cases don't work and the rule doesn't get added.
>
> Can anybody give me a clue?
>
> Cheers,
[-- Attachment #2: Type: text/html, Size: 925 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 1:17 ` Arnt Karlsen
@ 2003-10-13 13:06 ` Robert P. J. Day
2003-10-13 19:11 ` Arnt Karlsen
2003-10-13 18:05 ` Herman
1 sibling, 1 reply; 29+ messages in thread
From: Robert P. J. Day @ 2003-10-13 13:06 UTC (permalink / raw)
To: Arnt Karlsen; +Cc: netfilter
On Mon, 13 Oct 2003, Arnt Karlsen wrote:
> On Sun, 12 Oct 2003 18:40:27 -0600,
> Herman <Herman@AerospaceSoftware.com> wrote in message
> <200310121840.27031.Herman@AerospaceSoftware.com>:
>
> > The real problem that I'm trying to solve is this:
> > Several hosts need to acces a gov service that uses Java and a certain
> > port.
>
> ..if these hosts are initiating this connection from your end,
> " -j ESTABLISHED,RELATED" should do it, instead of you
> running around chasing your tail.
i suspect you really meant -m state --state ESTABLISHED,RELATED.
rday
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 7:13 ` Port forwarding doesn't work Gerd Zemella
@ 2003-10-13 14:32 ` Adam D. Barratt
2003-10-13 15:02 ` Gerd Zemella
0 siblings, 1 reply; 29+ messages in thread
From: Adam D. Barratt @ 2003-10-13 14:32 UTC (permalink / raw)
To: netfilter
Gerd Zemella wrote, Monday, October 13, 2003 8:13 AM
[Please *don't* post HTML to the list]
> Hi Herman,
>
> Am Mon, den 13.10.2003 schrieb Herman um 00:04:
>
> > Well, here goes:
> > iptables -t nat -I PREROUTING -d 192.168.10.100 -j DNAT --to
192.168.10.245
>
> did you wrote this --to? you must write --to-destination!
Nope. In context, --to is equivalent to --to-destination. There's absolutely
nothing wrong with using it in the manner above (in fact, every single DNAT
rule in our firewall script does -j DNAT --to).
Adam
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 14:32 ` Adam D. Barratt
@ 2003-10-13 15:02 ` Gerd Zemella
0 siblings, 0 replies; 29+ messages in thread
From: Gerd Zemella @ 2003-10-13 15:02 UTC (permalink / raw)
To: Adam D. Barratt; +Cc: netfilter
Ups, two faults. Too much for a monday morning.....
Am Mon, den 13.10.2003 schrieb Adam D. Barratt um 16:32:
> Gerd Zemella wrote, Monday, October 13, 2003 8:13 AM
>
> [Please *don't* post HTML to the list]
>
> > Hi Herman,
> >
> > Am Mon, den 13.10.2003 schrieb Herman um 00:04:
> >
> > > Well, here goes:
> > > iptables -t nat -I PREROUTING -d 192.168.10.100 -j DNAT --to
> 192.168.10.245
> >
> > did you wrote this --to? you must write --to-destination!
>
> Nope. In context, --to is equivalent to --to-destination. There's absolutely
> nothing wrong with using it in the manner above (in fact, every single DNAT
> rule in our firewall script does -j DNAT --to).
>
> Adam
>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 1:17 ` Arnt Karlsen
2003-10-13 13:06 ` Robert P. J. Day
@ 2003-10-13 18:05 ` Herman
2003-10-13 19:31 ` Jeffrey Laramie
` (2 more replies)
1 sibling, 3 replies; 29+ messages in thread
From: Herman @ 2003-10-13 18:05 UTC (permalink / raw)
To: Arnt Karlsen, netfilter
On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
On Sun, 12 Oct 2003 18:40:27 -0600,
Herman <Herman@AerospaceSoftware.com> wrote in message
<200310121840.27031.Herman@AerospaceSoftware.com>:
> The real problem that I'm trying to solve is this:
> Several hosts need to acces a gov service that uses Java and a certain
> port.
..if these hosts are initiating this connection from your end,
" -j ESTABLISHED,RELATED" should do it, instead of you
running around chasing your tail.
Hi Arnt,
Could you please elaborate on that?
As far as I can see, the hosts are initiating the connection, but the port
must somehow be forwarded through the firewall snat box.
This is what I have:
echo " DNAT Forward port 3270 for Alberta Registries application on Pluto"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j DNAT --to
192.168.10.1:3270
This is working now, provided that I use that specific IP address on the
inside - I had to load the iptable_mangle module, which made my problems go
away...
I don't understand how to add the ESTABLISHED,RELATED idea into this type of
rule.
Something like this:
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state --state
ESTABLISHED,RELATED
???
Cheers,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 13:06 ` Robert P. J. Day
@ 2003-10-13 19:11 ` Arnt Karlsen
0 siblings, 0 replies; 29+ messages in thread
From: Arnt Karlsen @ 2003-10-13 19:11 UTC (permalink / raw)
To: netfilter
On Mon, 13 Oct 2003 09:06:29 -0400 (EDT),
"Robert P. J. Day" <rpjday@mindspring.com> wrote in message
<Pine.LNX.4.44.0310130905370.17437-100000@localhost.localdomain>:
> On Mon, 13 Oct 2003, Arnt Karlsen wrote:
>
> > On Sun, 12 Oct 2003 18:40:27 -0600,
> > Herman <Herman@AerospaceSoftware.com> wrote in message
> > <200310121840.27031.Herman@AerospaceSoftware.com>:
> >
> > > The real problem that I'm trying to solve is this:
> > > Several hosts need to acces a gov service that uses Java and a
> > > certain port.
> >
> > ..if these hosts are initiating this connection from your end,
> > " -j ESTABLISHED,RELATED" should do it, instead of you
> > running around chasing your tail.
>
> i suspect you really meant -m state --state ESTABLISHED,RELATED.
..you suspect correctly. ;-) Above match -j ACCEPT , to complete what
I meant to say.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 18:05 ` Herman
@ 2003-10-13 19:31 ` Jeffrey Laramie
2003-10-13 20:00 ` Jeffrey Laramie
2003-10-13 20:09 ` Arnt Karlsen
2 siblings, 0 replies; 29+ messages in thread
From: Jeffrey Laramie @ 2003-10-13 19:31 UTC (permalink / raw)
To: netfilter
Herman wrote:
>On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
> On Sun, 12 Oct 2003 18:40:27 -0600,
> Herman <Herman@AerospaceSoftware.com> wrote in message
>
> <200310121840.27031.Herman@AerospaceSoftware.com>:
> > The real problem that I'm trying to solve is this:
> > Several hosts need to acces a gov service that uses Java and a certain
> > port.
>
> ..if these hosts are initiating this connection from your end,
> " -j ESTABLISHED,RELATED" should do it, instead of you
> running around chasing your tail.
>
>
I don't have the whole thread so I apologize if I missed something. If
you are using SNAT the return packets should be RELATED or ESTABLISHED
and they can be passed back to your box without any further natting:
# Masquerade everything leaving the lan as the firewall IP.
iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
# This makes sure the returning packets make it through.
iptables -t filter -A INPUT -p all -m state --state RELATED,ESTABLISHED
-j ACCEPT
Jeff
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 18:05 ` Herman
2003-10-13 19:31 ` Jeffrey Laramie
@ 2003-10-13 20:00 ` Jeffrey Laramie
2003-10-13 20:09 ` Arnt Karlsen
2 siblings, 0 replies; 29+ messages in thread
From: Jeffrey Laramie @ 2003-10-13 20:00 UTC (permalink / raw)
To: Herman; +Cc: Arnt Karlsen, netfilter
I almost forgot. You'll need the same line for your FORWARD chain:
iptables -t filter -A FORWARD -p all -m state --state
RELATED,ESTABLISHED -j ACCEPT
Jeff
Herman wrote:
>On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
> On Sun, 12 Oct 2003 18:40:27 -0600,
> Herman <Herman@AerospaceSoftware.com> wrote in message
>
> <200310121840.27031.Herman@AerospaceSoftware.com>:
> > The real problem that I'm trying to solve is this:
> > Several hosts need to acces a gov service that uses Java and a certain
> > port.
>
> ..if these hosts are initiating this connection from your end,
> " -j ESTABLISHED,RELATED" should do it, instead of you
> running around chasing your tail.
>
>Hi Arnt,
>
>Could you please elaborate on that?
>
>As far as I can see, the hosts are initiating the connection, but the port
>must somehow be forwarded through the firewall snat box.
>
>This is what I have:
>echo " DNAT Forward port 3270 for Alberta Registries application on Pluto"
>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j ACCEPT
>$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j DNAT --to
>192.168.10.1:3270
>
>This is working now, provided that I use that specific IP address on the
>inside - I had to load the iptable_mangle module, which made my problems go
>away...
>
>I don't understand how to add the ESTABLISHED,RELATED idea into this type of
>rule.
>
>Something like this:
>
>$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state --state
>ESTABLISHED,RELATED
>
>???
>
>
>Cheers,
>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 18:05 ` Herman
2003-10-13 19:31 ` Jeffrey Laramie
2003-10-13 20:00 ` Jeffrey Laramie
@ 2003-10-13 20:09 ` Arnt Karlsen
2003-10-13 20:47 ` Herman
2 siblings, 1 reply; 29+ messages in thread
From: Arnt Karlsen @ 2003-10-13 20:09 UTC (permalink / raw)
To: netfilter
On Mon, 13 Oct 2003 12:05:55 -0600,
Herman <Herman@AerospaceSoftware.com> wrote in message
<200310131205.55401.Herman@AerospaceSoftware.com>:
> On Sunday 12 October 2003 7:17 pm, Arnt Karlsen wrote:
> On Sun, 12 Oct 2003 18:40:27 -0600,
> Herman <Herman@AerospaceSoftware.com> wrote in message
>
> <200310121840.27031.Herman@AerospaceSoftware.com>:
> > The real problem that I'm trying to solve is this:
> > Several hosts need to acces a gov service that uses Java and a
> > certain port.
>
> ..if these hosts are initiating this connection from your end,
> " -j ESTABLISHED,RELATED" should do it, instead of you
> running around chasing your tail.
>
> Hi Arnt,
>
> Could you please elaborate on that?
..see Robert's correction to my post and my response.
> As far as I can see, the hosts are initiating the connection, but the
> port must somehow be forwarded through the firewall snat box.
>
> This is what I have:
> echo " DNAT Forward port 3270 for Alberta Registries application on
> Pluto"$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3270 -j
> ACCEPT$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -j
> DNAT --to 192.168.10.1:3270
..this looks like some ifwadm(sp?) or ipchains like kludge? Rip it out.
> This is working now, provided that I use that specific IP address on
> the inside - I had to load the iptable_mangle module, which made my
> problems go away...
>
> I don't understand how to add the ESTABLISHED,RELATED idea into this
> type of rule.
>
> Something like this:
>
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3270 -m state
> --state ESTABLISHED,RELATED
..you don't need to specify interface nor protocol or ports other
than possibly to make data for the nice graphs. KISS: ;-)
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Port forwarding doesn't work.
2003-10-13 20:09 ` Arnt Karlsen
@ 2003-10-13 20:47 ` Herman
0 siblings, 0 replies; 29+ messages in thread
From: Herman @ 2003-10-13 20:47 UTC (permalink / raw)
To: netfilter
On Monday 13 October 2003 2:09 pm, Arnt Karlsen wrote:
..you don't need to specify interface nor protocol or ports other
than possibly to make data for the nice graphs. KISS: ;-)
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
Wow, that is far more simple than anything I ever saw in any howto. I like it
and I'll sure try it.
I currently have this input rule:
# Allow any related traffic coming back to the MASQ server in
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
and these forward rules:
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED
\
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
My snat masquerade rule looks like this:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
Your suggestions will simplify these rules nicely.
The problem is that I'm not quite sure how the Java applet thing works -
whether the connection is established from the inside, or whether the gov
server starts it up from the outside, after the initial http connection -
they may be doing that for some security reason. If it is the latter, then
the established,related rules won't work and explicit port forwarding rules
would be required. To add to my woes, the gov server is down for maintenance
at the moment, so I can't test it properly.
Thanks,
--
Herman Oosthuysen
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Invalid friggen argument
2003-10-12 7:41 Invalid friggen argument Herman
2003-10-12 11:08 ` Willy TARREAU
2003-10-12 17:44 ` Mark E. Donaldson
@ 2003-10-14 6:04 ` Joel Newkirk
2003-10-14 13:14 ` Herman
2 siblings, 1 reply; 29+ messages in thread
From: Joel Newkirk @ 2003-10-14 6:04 UTC (permalink / raw)
To: Herman; +Cc: netfilter
On Sun, 2003-10-12 at 03:41, Herman wrote:
> Hi everybody,
>
> I am trying to get port forwarding to work. I had it working some time ago
> gawdknows what changed...
>
> Now, I get this result with iptables 1.2.7a-2mdk and with 1.2.9rc1:
>
> # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6390 \
> -j DNAT --to 192.168.10.245
> iptables: Invalid argument
Have you checked lsmod, to make sure you have iptable_nat loaded? If
not, try "modprobe iptable_nat" then try your rule again.
j
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Invalid friggen argument
2003-10-14 6:04 ` Invalid friggen argument Joel Newkirk
@ 2003-10-14 13:14 ` Herman
0 siblings, 0 replies; 29+ messages in thread
From: Herman @ 2003-10-14 13:14 UTC (permalink / raw)
To: netfilter
On Tuesday 14 October 2003 12:04 am, Joel Newkirk wrote:
Have you checked lsmod, to make sure you have iptable_nat loaded? If
not, try "modprobe iptable_nat" then try your rule again.
The trouble was not iptable_nat, but rather iptable_mangle. It seems that nat
doesn't work if iptable_mangle is not loaded - who woulda thunkit?
I was mislead by a Rehat script, which stated that it isn't needed for nat,
but apparently it is indeed.
Cheers,
--
Herman
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2003-10-14 13:14 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-12 7:41 Invalid friggen argument Herman
2003-10-12 11:08 ` Willy TARREAU
2003-10-12 15:46 ` Herman
2003-10-12 17:44 ` Mark E. Donaldson
2003-10-12 18:18 ` Herman
2003-10-12 20:11 ` Port forwarding doesn't work Herman
2003-10-12 21:41 ` Gerd Zemella
2003-10-12 22:04 ` Herman
2003-10-12 23:00 ` Herman
2003-10-13 0:10 ` Philip Craig
2003-10-13 0:20 ` Herman
2003-10-13 0:40 ` Herman
2003-10-13 1:17 ` Arnt Karlsen
2003-10-13 13:06 ` Robert P. J. Day
2003-10-13 19:11 ` Arnt Karlsen
2003-10-13 18:05 ` Herman
2003-10-13 19:31 ` Jeffrey Laramie
2003-10-13 20:00 ` Jeffrey Laramie
2003-10-13 20:09 ` Arnt Karlsen
2003-10-13 20:47 ` Herman
2003-10-13 0:44 ` Chris Brenton
2003-10-13 1:17 ` Herman
2003-10-13 1:30 ` Herman
2003-10-13 1:52 ` Port forwarding now *almost* works Herman
2003-10-13 7:13 ` Port forwarding doesn't work Gerd Zemella
2003-10-13 14:32 ` Adam D. Barratt
2003-10-13 15:02 ` Gerd Zemella
2003-10-14 6:04 ` Invalid friggen argument Joel Newkirk
2003-10-14 13:14 ` Herman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.