LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-26-2013, 05:14 PM   #1
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Rep: Reputation: Disabled
iptables question


Code:
root@vps:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source             destination
Chain FORWARD (policy ACCEPT)
target     prot opt source             destination
ACCEPT     all -- anywhere             anywhere
ACCEPT     all -- anywhere             anywhere
ACCEPT     all -- anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source             destination
Code:
root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
iptables: No chain/target/match by that name.
Code:
root@vps:/# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1072 (1.0 KiB)  TX bytes:1072 (1.0 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.17.0.1  P-t-P:172.17.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:10247 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3169337 (3.0 MiB)  TX bytes:1197967 (1.1 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:188.241.154.65  P-t-P:188.241.154.65  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:188.241.154.66  P-t-P:188.241.154.66  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
I receive this error because i don't have a POSTROUTING chain or what is the problem ? How can I solve it ?

Last edited by mboncalo; 02-26-2013 at 05:16 PM. Reason: forgot something that might be asked later
 
Old 02-26-2013, 06:06 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,955

Rep: Reputation: Disabled
If iptables won't accept rules for the "nat" table, your kernel may lack NAT support.

Try:
Code:
zcat /proc/config.gz | grep NAT_IPV4
If it returns CONFIG_NF_NAT_IPV4=n, you'll need to replace/recompile your kernel.

(PS: Matching aliases with the ]b}-i[/b] or -o won't work; -o venet0:0 will be interpreted as -o venet0.)
 
Old 02-27-2013, 03:22 AM   #3
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Code:
root@vps:/# zcat /proc/config.gz | grep NAT_IPV4
gzip: /proc/config.gz: No such file or directory
 
Old 02-27-2013, 03:28 AM   #4
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Code:
root@vps:/# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source             destination
Chain POSTROUTING (policy ACCEPT)
target     prot opt source             destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source             destination
root@vps:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source             destination
Chain FORWARD (policy ACCEPT)
target     prot opt source             destination
ACCEPT     all -- anywhere             anywhere
ACCEPT     all -- anywhere             anywhere
ACCEPT     all -- anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source             destination
root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
iptables: No chain/target/match by that name.
root@vps:/# lsmod
Module                 Size Used by
root@vps:/#
still, the same thing happens

Code:
root@vps:/# iptables -N POSTROUTING
root@vps:/# iptables -N PREROUTING
root@vps:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (0 references)
target     prot opt source               destination

Chain PREROUTING (0 references)
target     prot opt source               destination
root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
iptables: No chain/target/match by that name.
Code:
root@vps:~# cat /proc/net/ip_tables_matches
icmp
statistic
length
ttl
tcpmss
tos
owner
recent
comment
limit
string
udp
tcp
multiport
multiport

Last edited by mboncalo; 02-27-2013 at 04:43 AM.
 
Old 02-27-2013, 05:51 AM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,955

Rep: Reputation: Disabled
Quote:
Originally Posted by mboncalo View Post
Code:
root@vps:/# zcat /proc/config.gz | grep NAT_IPV4
gzip: /proc/config.gz: No such file or directory
OK, your kernel doesn't support /proc/config.gz.

The output from iptables shows that the kernel definitely supports the "nat" table. The problem could be lacking support for the MASQUERADE target. Try using the SNAT target instead (-j SNAT --to-source <NAT IP>).
 
1 members found this post helpful.
Old 02-27-2013, 01:27 PM   #6
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Since i'm using VPS I on OpenVZ and i found out that OpenVZ has some problems with Iptables and MASQUERADE does not work. I found another way but it doesn't work neither..
Code:
root@vps:/# iptables -t nat -A POSTROUTING -o venet0:0 -j SNAT -to 188.241.154.65
Bad argument `188.241.154.65'
Try `iptables -h' or 'iptables --help' for more information.
 
Old 02-27-2013, 01:30 PM   #7
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Code:
root@vps:/# lsmod
Module                  Size  Used by
root@vps:/# modprobe ip_conntrack_ftp
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module ip_conntrack_ftp not found.
root@vps:/# modprobe iptable_nat
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module iptable_nat not found.
root@vps:/# modprobe ip_nat_ftp
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module ip_nat_ftp not found.
root@vps:/# LSMOD
-bash: LSMOD: command not found
root@vps:/# lsmod
Module                  Size  Used by
root@vps:/#
 
Old 02-28-2013, 06:00 AM   #8
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
i solved the iptables problem but my client couldn't connect to server. I realised that is because i am on a restricted network and i must use port 443 instead of 1194. After modifying openvpn.conf to change the port, i don't know when, my tun interface is not active anymore and openvpn service fails to start

I succeded to connect to VPN server but nothing happens, i still have the same IP address, my ports aren't open which is the sole purpose of this
Code:
root@vps:/etc/openvpn# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@vps:/etc/openvpn# iptables-save
# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013
*mangle
:PREROUTING ACCEPT [41806:18583907]
:INPUT ACCEPT [41806:18583907]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34220:5308174]
:POSTROUTING ACCEPT [34220:5308174]
COMMIT
# Completed on Fri Mar  1 04:41:23 2013
# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013
*filter
:INPUT ACCEPT [13728:3337016]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10533:1340221]
-A FORWARD -i tun0 -o venet0:0 -j ACCEPT
-A FORWARD -i tun0 -o venet0 -j ACCEPT
COMMIT
# Completed on Fri Mar  1 04:41:23 2013
# Generated by iptables-save v1.4.8 on Fri Mar  1 04:41:23 2013
*nat
:PREROUTING ACCEPT [726:62323]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1896:123246]
-A POSTROUTING -o venet0 -j SNAT --to-source 188.241.154.65
COMMIT
# Completed on Fri Mar  1 04:41:23 2013
root@vps:/etc/openvpn# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 188.241.154.66:53       0.0.0.0:*               LISTEN
tcp        0      0 188.241.154.65:53       0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0    784 188.241.154.66:22       223.4.4.11:38665        ESTABLISHED
tcp        0    284 188.241.154.65:22       95.76.222.66:2961       ESTABLISHED
tcp        0      0 188.241.154.65:22       95.76.222.66:3149       ESTABLISHED
udp        0      0 10.8.0.1:53             0.0.0.0:*
udp        0      0 188.241.154.66:53       0.0.0.0:*
udp        0      0 188.241.154.65:53       0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 188.241.154.65:137      0.0.0.0:*
udp        0      0 188.241.154.65:137      0.0.0.0:*
udp        0      0 188.241.154.66:137      0.0.0.0:*
udp        0      0 188.241.154.66:137      0.0.0.0:*
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 188.241.154.65:138      0.0.0.0:*
udp        0      0 188.241.154.65:138      0.0.0.0:*
udp        0      0 188.241.154.66:138      0.0.0.0:*
udp        0      0 188.241.154.66:138      0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     1689715349 /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     1689713280 /var/run/saslauthd/mux
unix  8      [ ]         DGRAM                    1689713356 /dev/log
unix  3      [ ]         STREAM     CONNECTED     2024717623
unix  3      [ ]         STREAM     CONNECTED     2024717622
unix  2      [ ]         DGRAM                    2008387544
unix  2      [ ]         DGRAM                    1973859243
unix  2      [ ]         DGRAM                    1689735495
unix  2      [ ]         DGRAM                    1689715328
unix  2      [ ]         DGRAM                    1689714368
unix  2      [ ]         DGRAM                    1689713509

Code:
root@vps:/etc/openvpn# iptables -A FORWARD -i venet0:0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name.

Last edited by mboncalo; 02-28-2013 at 06:58 PM.
 
Old 03-01-2013, 10:44 AM   #9
mboncalo
LQ Newbie
 
Registered: Feb 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
I made some modifications in openvpn config files and remade iptables rules and now works.

Problem solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question. AsherSevyn Linux - Security 1 12-04-2012 05:45 AM
iptables question msasson Linux - Security 4 09-15-2011 02:36 PM
Iptables question redss Linux - Networking 5 09-08-2009 04:33 PM
IPTables question THE RADICAL Linux - Security 4 12-15-2005 03:12 AM
Question about iptables tontod Linux - Networking 3 06-10-2002 05:03 PM


All times are GMT -5. The time now is 02:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration