LinuxQuestions.org - iptables question

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - iptables question (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-question-4175451819/)

iptables question

Code:

root@vps:/# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source            destination

Chain FORWARD (policy ACCEPT)

target    prot opt source            destination

ACCEPT    all -- anywhere            anywhere

ACCEPT    all -- anywhere            anywhere

ACCEPT    all -- anywhere            anywhere

Chain OUTPUT (policy ACCEPT)

target    prot opt source            destination

Code:

root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE

iptables: No chain/target/match by that name.

Code:

root@vps:/# ifconfig

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:16 errors:0 dropped:0 overruns:0 frame:0

          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1072 (1.0 KiB)  TX bytes:1072 (1.0 KiB)



tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:172.17.0.1  P-t-P:172.17.0.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

          RX packets:10247 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:3169337 (3.0 MiB)  TX bytes:1197967 (1.1 MiB)



venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:188.241.154.65  P-t-P:188.241.154.65  Bcast:0.0.0.0  Mask:255.255.255.255

          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1



venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:188.241.154.66  P-t-P:188.241.154.66  Bcast:0.0.0.0  Mask:255.255.255.255

          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

I receive this error because i don't have a POSTROUTING chain or what is the problem ? How can I solve it ?

If iptables won't accept rules for the "nat" table, your kernel may lack NAT support.

Try:

Code:

zcat /proc/config.gz | grep NAT_IPV4

If it returns CONFIG_NF_NAT_IPV4=n, you'll need to replace/recompile your kernel.

(PS: Matching aliases with the ]b}-i[/b] or -o won't work; -o venet0:0 will be interpreted as -o venet0.)

Code:

root@vps:/# zcat /proc/config.gz | grep NAT_IPV4

gzip: /proc/config.gz: No such file or directory

Code:

root@vps:/# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)

target    prot opt source            destination

Chain POSTROUTING (policy ACCEPT)

target    prot opt source            destination

Chain OUTPUT (policy ACCEPT)

target    prot opt source            destination

root@vps:/# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source            destination

Chain FORWARD (policy ACCEPT)

target    prot opt source            destination

ACCEPT    all -- anywhere            anywhere

ACCEPT    all -- anywhere            anywhere

ACCEPT    all -- anywhere            anywhere

Chain OUTPUT (policy ACCEPT)

target    prot opt source            destination

root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE

iptables: No chain/target/match by that name.

root@vps:/# lsmod

Module                Size Used by

root@vps:/#

still, the same thing happens

Code:

root@vps:/# iptables -N POSTROUTING

root@vps:/# iptables -N PREROUTING

root@vps:/# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  anywhere            anywhere



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination



Chain POSTROUTING (0 references)

target    prot opt source              destination



Chain PREROUTING (0 references)

target    prot opt source              destination

root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE

iptables: No chain/target/match by that name.

Code:

root@vps:~# cat /proc/net/ip_tables_matches

icmp

statistic

length

ttl

tcpmss

tos

owner

recent

comment

limit

string

udp

tcp

multiport

multiport

Quote:

Originally Posted by mboncalo (Post 4900658)

Code:

root@vps:/# zcat /proc/config.gz | grep NAT_IPV4

gzip: /proc/config.gz: No such file or directory

OK, your kernel doesn't support /proc/config.gz.

The output from iptables shows that the kernel definitely supports the "nat" table. The problem could be lacking support for the MASQUERADE target. Try using the SNAT target instead (-j SNAT --to-source <NAT IP>).

Since i'm using VPS I on OpenVZ and i found out that OpenVZ has some problems with Iptables and MASQUERADE does not work. I found another way but it doesn't work neither..

Code:

root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j SNAT -to 188.241.154.65

Bad argument `188.241.154.65'

Try `iptables -h' or 'iptables --help' for more information.

Code:

root@vps:/# lsmod

Module                  Size  Used by

root@vps:/# modprobe ip_conntrack_ftp

WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

FATAL: Module ip_conntrack_ftp not found.

root@vps:/# modprobe iptable_nat

WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

FATAL: Module iptable_nat not found.

root@vps:/# modprobe ip_nat_ftp

WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

FATAL: Module ip_nat_ftp not found.

root@vps:/# LSMOD

-bash: LSMOD: command not found

root@vps:/# lsmod

Module                  Size  Used by

root@vps:/#

i solved the iptables problem but my client couldn't connect to server. I realised that is because i am on a restricted network and i must use port 443 instead of 1194. After modifying openvpn.conf to change the port, i don't know when, my tun interface is not active anymore and openvpn service fails to start

I succeded to connect to VPN server but nothing happens, i still have the same IP address, my ports aren't open which is the sole purpose of this

Code:

root@vps:/etc/openvpn# iptables -L

Chain INPUT (policy ACCEPT)

target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  anywhere            anywhere



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

root@vps:/etc/openvpn# iptables-save

# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013

*mangle

:PREROUTING ACCEPT [41806:18583907]

:INPUT ACCEPT [41806:18583907]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [34220:5308174]

:POSTROUTING ACCEPT [34220:5308174]

COMMIT

# Completed on Fri Mar  1 04:41:23 2013

# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013

*filter

:INPUT ACCEPT [13728:3337016]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [10533:1340221]

-A FORWARD -i tun0 -o venet0:0 -j ACCEPT

-A FORWARD -i tun0 -o venet0 -j ACCEPT

COMMIT

# Completed on Fri Mar  1 04:41:23 2013

# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013

*nat

:PREROUTING ACCEPT [726:62323]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [1896:123246]

-A POSTROUTING -o venet0 -j SNAT --to-source 188.241.154.65

COMMIT

# Completed on Fri Mar  1 04:41:23 2013

root@vps:/etc/openvpn# netstat -na

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address          Foreign Address        State

tcp        0      0 0.0.0.0:443            0.0.0.0:*              LISTEN

tcp        0      0 0.0.0.0:1723            0.0.0.0:*              LISTEN

tcp        0      0 0.0.0.0:445            0.0.0.0:*              LISTEN

tcp        0      0 127.0.0.1:587          0.0.0.0:*              LISTEN

tcp        0      0 0.0.0.0:139            0.0.0.0:*              LISTEN

tcp        0      0 10.8.0.1:53            0.0.0.0:*              LISTEN

tcp        0      0 0.0.0.0:21              0.0.0.0:*              LISTEN

tcp        0      0 188.241.154.66:53      0.0.0.0:*              LISTEN

tcp        0      0 188.241.154.65:53      0.0.0.0:*              LISTEN

tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN

tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN

tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN

tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN

tcp        0    784 188.241.154.66:22      223.4.4.11:38665        ESTABLISHED

tcp        0    284 188.241.154.65:22      95.76.222.66:2961      ESTABLISHED

tcp        0      0 188.241.154.65:22      95.76.222.66:3149      ESTABLISHED

udp        0      0 10.8.0.1:53            0.0.0.0:*

udp        0      0 188.241.154.66:53      0.0.0.0:*

udp        0      0 188.241.154.65:53      0.0.0.0:*

udp        0      0 127.0.0.1:53            0.0.0.0:*

udp        0      0 188.241.154.65:137      0.0.0.0:*

udp        0      0 188.241.154.65:137      0.0.0.0:*

udp        0      0 188.241.154.66:137      0.0.0.0:*

udp        0      0 188.241.154.66:137      0.0.0.0:*

udp        0      0 0.0.0.0:137            0.0.0.0:*

udp        0      0 188.241.154.65:138      0.0.0.0:*

udp        0      0 188.241.154.65:138      0.0.0.0:*

udp        0      0 188.241.154.66:138      0.0.0.0:*

udp        0      0 188.241.154.66:138      0.0.0.0:*

udp        0      0 0.0.0.0:138            0.0.0.0:*

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags      Type      State        I-Node  Path

unix  2      [ ACC ]    STREAM    LISTENING    1689715349 /var/run/sendmail/mta/smcontrol

unix  2      [ ACC ]    STREAM    LISTENING    1689713280 /var/run/saslauthd/mux

unix  8      [ ]        DGRAM                    1689713356 /dev/log

unix  3      [ ]        STREAM    CONNECTED    2024717623

unix  3      [ ]        STREAM    CONNECTED    2024717622

unix  2      [ ]        DGRAM                    2008387544

unix  2      [ ]        DGRAM                    1973859243

unix  2      [ ]        DGRAM                    1689735495

unix  2      [ ]        DGRAM                    1689715328

unix  2      [ ]        DGRAM                    1689714368

unix  2      [ ]        DGRAM                    1689713509

Code:

root@vps:/etc/openvpn# iptables -A FORWARD -i venet0:0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables: No chain/target/match by that name.

I made some modifications in openvpn config files and remade iptables rules and now works.

Problem solved.

Quote:

Originally Posted by mboncalo (Post 4902534)

I made some modifications in openvpn config files and remade iptables rules and now works.

Problem solved.

Hi there,

Can you please share how did you modify to make iptables NAT working on OpenVZ?

I meet the same problem while using postrouting

Code:

iptables -t nat -A POSTROUTING -o venet0:0 -j SNAT -to 45.124.67.216

Warning: wierd character in interface `venet0:0' (No aliases, :, ! or *).

Bad argument `45.124.67.216'

Try `iptables -h' or 'iptables --help' for more information.

and

Quote:

iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE

I'm using Openvz centos5 to establish a l2tp vpn by softehter, which works fine in when debian is installed.However, under centos,I can reach the point get connection, but client can not get IP address.

Please give advises if you can.
Thank you very much