External MASQ ICMP forwarding test fails
 

Hi, I am trying to get NAT working but I am having some trouble on this step

http://en.tldp.org/HOWTO/IP-Masquera...masq-icmp.html

I looked on google but the only answer I found was for people using ipchains, I am using iptables. I am using the 2.6 kernel, which may be a problem, and also when I try to start it up I get the following output:

[root@x1-6-00-09-5b-62-fe-80 sbin]# /etc/rc.d/rc.firewall-2.4


Loading simple rc.firewall version 0.75..

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp, ----------------------------------------------------------------------
Done loading modules.

Enabling forwarding..
Enabling DynamicAddr..
Clearing any existing rules and setting default policy..
FWD: Allow all connections OUT and only existing and related ones IN
Enabling SNAT (MASQUERADE) functionality on eth0
iptables: Invalid argument

Done.

[root@x1-6-00-09-5b-62-fe-80 sbin]#

I did do a 'whereis iptables' and it said /sbin/iptables so thats what I set in my rc.firewall-2.4 file. All of the other tests work, I am just having trouble getting past this one.
someone told me that it's probably because the kernel is not compiled correctly, any other ideas/suggestions so I can get it working? Thanks.

naw, the problem is about your PATH prolly
try echo $PATH before your try to run your firewall... /sbin is probably not in your PATH at this time (you are running it at boot time right?).
Or maybe you are not root?

...

or maybe you typed a very bad command, if the command seems to do not end on a line, iptables read the next line (beginning by "iptables" probably). Could you post that command?

Yes I am running it at boot time like the howto says, should I put 'echo $PATH' at the beginning of my file (I copied from this example: http://www.ecst.csuchico.edu/~dranch...c.firewall-2.4 )

I am root when I tried it. All I typed in was this: /etc/rc.d/rc.firewall-2.4

is that what you mean? Sorry, but this is all a little bit new to me. Thanks for the help though. I also did 'chmod 700 /etc/rc.d/rc.firewall-2.4' like the howto said. The NAT server can ping external ip's but not the internal clients.

Ok, well I tried the quick tutorial http://tldp.org/HOWTO/Masquerading-S...O/summary.html and when I enter [root@x1-6-00-09-5b-62-fe-80 thomas]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 67.167.203.xxx
iptables: Invalid argument
[root@x1-6-00-09-5b-62-fe-80 thomas]#

the same thing happens. (of course I blocked out my ip with xxx so people don't try to mess with me.) Anyone have any ideas? I am running iptables 1.2.9 and the 2.6 kernel. It could be because this is Mandrake Cooker. Thanks yet again. I think I might wait for Fedora Core 2 or just get core 1 and try, one of my friends got it working that way.

*EDIT
here we go, looks like I have to recompile iptables by myself, problem between the kernel and iptables, http://archives.mandrakelinux.com/fi...2/msg00103.php

This line has a syntax error. "--to" isn't an option, you probably want to use "--to-source".

Iptables error msg are sometime confusing.

humm... well here is my output with your suggestion:

[root@x1-6-00-09-5b-62-fe-80 thomas]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189
bash: iptables: command not found
[root@x1-6-00-09-5b-62-fe-80 thomas]#

I am going to try fedora now.

the "iptsbles" not found command is a problem with your PATH as stated before.
echo your PATH and give the output please.
Or if you don't want to mess with it, you can type the complete path like /sbin/iptables or /usr/sbin/iptables (depending where it is on your system) instead of just "iptables"

Btw, if you want to stop using Linux at the first difficulty (trying another distro won't help you,no one will do everything for you like Windoze does) you're probably not ready for it.

[root@x1-6-00-09-5b-62-fe-80 thomas]# echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/thomas/bin
[root@x1-6-00-09-5b-62-fe-80 thomas]#


And don't worry, I am not going to give up. oh and /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189 worked, any idea on how I can get that script working (/etc/rc.d/rc.firewall-2.4)

the output from /etc/rc.d/rc.firewall-2.4 is now:

[root@x1-6-00-09-5b-62-fe-80 sbin]# /etc/rc.d/rc.firewall-2.4

Loading simple rc.firewall version 0.75..

External Interface: eth0
Internal Interface: eth1
loading modules: - Verifying that all kernel modules are ok

rc.firewall-2.4 v0.75 done.

[root@x1-6-00-09-5b-62-fe-80 sbin]#

but still I cannot ping external addresses from internal hosts. Thanks yet again

as you see in your PATH, /sbin and /usr/sbin aren't there.
You could try to edit /etc/profile to add this to the path (to add, use a command like : PATH="$PATH:/usr/sbin:/sbin"

Or easier you could just use a variable in the rc.iptables script
open it and create a variable (as example : IPTABLES="/sbin/iptables")
then use it instead of "iptables" (examples : $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 67.167.203.189)

**EDITED, see below.
thanks for the quick response. I did make a small mistake but still I am having some problems, I am going to try what you said right now, I will let you know how it goes.

ok so her is my /etc/profile:
what would I change?

Oh also now this is what I get for rc.firewall-2.4:
It looks like it ought to be working, well thanks yet again.

*****EDIT: It's working, thanks alot, stupid me just had to enter the gateway address. Well I am still a bit of a newbie, hopefully anyone who is trying to get this working finds this thread helpful.