LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-25-2004, 11:01 PM   #1
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Rep: Reputation: 15
External MASQ ICMP forwarding test fails


Hi, I am trying to get NAT working but I am having some trouble on this step

http://en.tldp.org/HOWTO/IP-Masquera...masq-icmp.html

I looked on google but the only answer I found was for people using ipchains, I am using iptables. I am using the 2.6 kernel, which may be a problem, and also when I try to start it up I get the following output:

[root@x1-6-00-09-5b-62-fe-80 sbin]# /etc/rc.d/rc.firewall-2.4


Loading simple rc.firewall version 0.75..

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp, ----------------------------------------------------------------------
Done loading modules.

Enabling forwarding..
Enabling DynamicAddr..
Clearing any existing rules and setting default policy..
FWD: Allow all connections OUT and only existing and related ones IN
Enabling SNAT (MASQUERADE) functionality on eth0
iptables: Invalid argument

Done.

[root@x1-6-00-09-5b-62-fe-80 sbin]#

I did do a 'whereis iptables' and it said /sbin/iptables so thats what I set in my rc.firewall-2.4 file. All of the other tests work, I am just having trouble getting past this one.
someone told me that it's probably because the kernel is not compiled correctly, any other ideas/suggestions so I can get it working? Thanks.
 
Old 01-26-2004, 12:08 AM   #2
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
naw, the problem is about your PATH prolly
try echo $PATH before your try to run your firewall... /sbin is probably not in your PATH at this time (you are running it at boot time right?).
Or maybe you are not root?

...

or maybe you typed a very bad command, if the command seems to do not end on a line, iptables read the next line (beginning by "iptables" probably). Could you post that command?
 
Old 01-26-2004, 04:08 PM   #3
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Half_Elf
naw, the problem is about your PATH prolly
try echo $PATH before your try to run your firewall... /sbin is probably not in your PATH at this time (you are running it at boot time right?).
Or maybe you are not root?

...

or maybe you typed a very bad command, if the command seems to do not end on a line, iptables read the next line (beginning by "iptables" probably). Could you post that command?
Yes I am running it at boot time like the howto says, should I put 'echo $PATH' at the beginning of my file (I copied from this example: http://www.ecst.csuchico.edu/~dranch...c.firewall-2.4 )

I am root when I tried it. All I typed in was this: /etc/rc.d/rc.firewall-2.4

is that what you mean? Sorry, but this is all a little bit new to me. Thanks for the help though. I also did 'chmod 700 /etc/rc.d/rc.firewall-2.4' like the howto said. The NAT server can ping external ip's but not the internal clients.
 
Old 01-26-2004, 09:37 PM   #4
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Original Poster
Rep: Reputation: 15
Ok, well I tried the quick tutorial http://tldp.org/HOWTO/Masquerading-S...O/summary.html and when I enter [root@x1-6-00-09-5b-62-fe-80 thomas]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 67.167.203.xxx
iptables: Invalid argument
[root@x1-6-00-09-5b-62-fe-80 thomas]#

the same thing happens. (of course I blocked out my ip with xxx so people don't try to mess with me.) Anyone have any ideas? I am running iptables 1.2.9 and the 2.6 kernel. It could be because this is Mandrake Cooker. Thanks yet again. I think I might wait for Fedora Core 2 or just get core 1 and try, one of my friends got it working that way.

*EDIT
here we go, looks like I have to recompile iptables by myself, problem between the kernel and iptables, http://archives.mandrakelinux.com/fi...2/msg00103.php

Last edited by blackphiber; 01-26-2004 at 09:53 PM.
 
Old 01-27-2004, 05:57 AM   #5
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
Code:
 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 67.167.203.xxx
This line has a syntax error. "--to" isn't an option, you probably want to use "--to-source".

Iptables error msg are sometime confusing.
 
Old 01-27-2004, 05:15 PM   #6
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Original Poster
Rep: Reputation: 15
humm... well here is my output with your suggestion:

[root@x1-6-00-09-5b-62-fe-80 thomas]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189
bash: iptables: command not found
[root@x1-6-00-09-5b-62-fe-80 thomas]#

I am going to try fedora now.
 
Old 01-27-2004, 06:48 PM   #7
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
the "iptsbles" not found command is a problem with your PATH as stated before.
echo your PATH and give the output please.
Or if you don't want to mess with it, you can type the complete path like /sbin/iptables or /usr/sbin/iptables (depending where it is on your system) instead of just "iptables"

Btw, if you want to stop using Linux at the first difficulty (trying another distro won't help you,no one will do everything for you like Windoze does) you're probably not ready for it.
 
Old 01-27-2004, 08:44 PM   #8
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Original Poster
Rep: Reputation: 15
[root@x1-6-00-09-5b-62-fe-80 thomas]# echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/thomas/bin
[root@x1-6-00-09-5b-62-fe-80 thomas]#


And don't worry, I am not going to give up. oh and /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189 worked, any idea on how I can get that script working (/etc/rc.d/rc.firewall-2.4)

the output from /etc/rc.d/rc.firewall-2.4 is now:

[root@x1-6-00-09-5b-62-fe-80 sbin]# /etc/rc.d/rc.firewall-2.4

Loading simple rc.firewall version 0.75..

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok

rc.firewall-2.4 v0.75 done.

[root@x1-6-00-09-5b-62-fe-80 sbin]#

but still I cannot ping external addresses from internal hosts. Thanks yet again

Last edited by blackphiber; 01-27-2004 at 08:48 PM.
 
Old 01-27-2004, 08:52 PM   #9
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
Quote:
[root@x1-6-00-09-5b-62-fe-80 thomas]# echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/thomas/bin [root@x1-6-00-09-5b-62-fe-80 thomas]#
as you see in your PATH, /sbin and /usr/sbin aren't there.
You could try to edit /etc/profile to add this to the path (to add, use a command like : PATH="$PATH:/usr/sbin:/sbin"

Or easier you could just use a variable in the rc.iptables script
open it and create a variable (as example : IPTABLES="/sbin/iptables")
then use it instead of "iptables" (examples : $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189)
 
Old 01-27-2004, 08:56 PM   #10
blackphiber
LQ Newbie
 
Registered: Sep 2003
Location: US
Distribution: Fedora Core 2
Posts: 26

Original Poster
Rep: Reputation: 15
**EDITED, see below.
thanks for the quick response. I did make a small mistake but still I am having some problems, I am going to try what you said right now, I will let you know how it goes.

ok so her is my /etc/profile:
Code:
# /etc/profile

# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc

pathmunge () {
	if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then
	   if [ "$2" = "after" ] ; then
	      PATH=$PATH:$1
	   else
	      PATH=$1:$PATH
	   fi
	fi
}

# Path manipulation
if [ `id -u` = 0 ]; then
	pathmunge /sbin
	pathmunge /usr/sbin
	pathmunge /usr/local/sbin
fi

pathmunge /usr/X11R6/bin after

unset pathmunge

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"

HOSTNAME=`/bin/hostname`
HISTSIZE=1000

if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then
    INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC

for i in /etc/profile.d/*.sh ; do
    if [ -r "$i" ]; then
    	. $i
    fi
done

unset i
what would I change?

Oh also now this is what I get for rc.firewall-2.4:
Code:
[root@x1-6-00-09-5b-62-fe-80 sbin]# /etc/rc.d/rc.firewall-2.4
                                                                                
                                                                                
Loading simple rc.firewall version 0.75..
 
   External Interface:  eth0
   Internal Interface:  eth1
   loading modules:   - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp, ----------------------------------------------------------------------
   Done loading modules.
 
   Enabling forwarding..
   Enabling DynamicAddr..
   Clearing any existing rules and setting default policy..
   FWD: Allow all connections OUT and only existing and related ones IN
   Enabling SNAT (MASQUERADE) functionality on eth0
 
Done.
 
[root@x1-6-00-09-5b-62-fe-80 sbin]#
It looks like it ought to be working, well thanks yet again.

*****EDIT: It's working, thanks alot, stupid me just had to enter the gateway address. Well I am still a bit of a newbie, hopefully anyone who is trying to get this working finds this thread helpful.

Last edited by blackphiber; 01-27-2004 at 09:12 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
keepalived keeps using route not masq as the forwarding method. abefroman Linux - Networking 0 09-05-2005 04:21 PM
All 4 CDs (FC4) fails the test Ephracis Fedora 5 07-24-2005 12:49 PM
Where can I get an external nmap test? CodeFish Linux - Security 2 01-23-2005 11:15 AM
TEST fails bato Linux - Networking 1 11-08-2004 02:58 PM
firewall script run at boot -> no masq, rerun manually -> masq worx Griffon26 Linux - Networking 2 06-24-2002 03:17 AM


All times are GMT -5. The time now is 07:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration