iptables - "unknown arg" --dport

crowhurst01 · 10-15-2006, 09:26 PM

I am getting the "unknown arg" result when i try this code:

iptables -t nat -A PREROUTING -p udp --dport 5060 -i eth0 -j DNAT --to-destination 172.16.13.197

I have researched and tried many variants, spellings and tried the full name --destination-port, i have ensured the protocol is before the dport.

I upgraded to ver. 1.3.6 of iptables and still no luck.

I have even tried running known good code lines from other users and still get the error

iptables v1.3.6: Unknown arg `--dport'

Optimally i would like to match an incoming packet to eth0 based on its being UDP and the port, then i want to port forward it to a destination inside the lan.

Any help is greatly appreciated.

unixfool · 10-15-2006, 09:52 PM

The only thing I can think of is to check to see if port 5060 is in /etc/services...

Thinking about it, I don't think it should matter whether that port is listed in /etc/services, but I'm not sure.

EDIT: I think I'm wrong, but it won't hurt to check anyways...and check 'man iptables' to be sure you're using the proper argument. I'm checking as I type this...

Code:

udp
       These extensions are loaded if `--protocol udp' is specified. It provides the following options:
...
...
       --destination-port [!] port[:port]
              Destination port or port range specification.  The flag --dport is a convenient alias for this option.

What you have looks correct...I'm stumped...maybe we're both overlooking something?

SlackDaemon · 10-15-2006, 10:50 PM

The problem might be being caused by an unloaded module. Try explicitly loading the udp module with -m.

iptables -t nat -A PREROUTING -m udp -p udp --dport 5060 -i eth0 -j DNAT --to-destination 172.16.13.197

By the way what distribution are you using and what kernel version?

crowhurst01 · 10-15-2006, 11:54 PM

I tried using -m with exactly the line you gave me above, it appears to have located a problem. Any ideas on how to fix this?

iptables v1.3.6: Couldn't load match `udp':/usr/local/lib/iptables/libipt_udp.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

thanks

SlackDaemon · 10-16-2006, 12:37 AM

You'll need to recompile iptables with libipt_udp support. If you performed the upgrade from source try compiling with the make NO_SHARED_LIBS=1 option to statically link all the extension modules.
The libipt_udp.c file should be located in your iptables source directory's extentions sub-directory.

crowhurst01 · 10-16-2006, 12:54 AM

yes, the lib file is in /usr/src/iptables-1.3.6/extensions

I remember now that after i did the initial compiling I had to copy the files to a different directory to make it work. (i think it was /sbin?) After the cp when i did iptables -V the version number was higher. Of course 1.3.1 was not functioning either.

Originally i had 1.3.1. and upgraded thinking that was the problem.

I am relatively unskilled at this, so if you can give me a step by step to recompile, that would be most helpful. I initially just followed some rules I found online to do an installation (they were not specifically for an upgrade, but more for an initial installation)

Here is the result when i try the make command you gave me:

Password:
ALL_SLIB:
ALL_MATCH:
ALL_TARGET:

---------

I am running Ubuntu 5.10, i dont know how to check the kernel version.

Thanks

crowhurst01 · 10-16-2006, 01:04 AM

These are the instructions I followed: http://www.cae.wisc.edu/site/public/...les-installing

The last part is where I did the copying:

1. Get the iptables tarball containing all the needed files.

* To get the latest version of iptables go to netfilter.org

* Downloads are available at http://www.netfilter.org/downloads.html

* The file should be named iptables-1.*.*.tar.bz2 where the asterisks represent the numbers of the latest version

* Save this file to a temporary directory, we will use /tmp in this example.
2.

Open a terminal window.
3. Change your directory to where you saved iptables by typing:

# cd /tmp
4. Uncompress the archive to the /usr/src directory by typing:

# tar -xvjf ./iptables-1.*.*.tar.bz2 -C /usr/src

where the asterisks represent the version number of the file you downloaded.
5. Change to the directory it created (typically iptables-1.*.*), by typing:

# cd /usr/src/iptables-1.*.*
6. Using the kernel directories above, type:

# /bin/sh -c make
7. To finish the install, type:

# /bin/sh -c make install

Iptables should now be installed. You can test the installation as described in the beginning of this section to see if it is working.

If the above install steps seemed to execute without any error, but typing:

# iptables -V

brings up an error, it is possible that the program did not install itself to the sbin directory. To fix this, type the following command from the iptables-1.*.* directory:

ComputerName:~# cp ./iptables /sbin

crowhurst01 · 10-16-2006, 01:10 AM

i just re-followed the instructions above, with the make being make as u suggested and it seemed to work.

Thanks!

I did not have to redo the cp as i did previously.

You are really good at this!