LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
 
Search this Thread
Old 06-14-2008, 05:06 PM   #1
Eightpock
LQ Newbie
 
Registered: Jun 2008
Location: Peoria Illinois
Distribution: Gentoo
Posts: 9

Rep: Reputation: 0
IPTables trouble with DNAT target (bad argument error)


Hello All.


I searched the forum but didn't kinda anything on this topic. I am running gentoo with IPtables installed as my firewall, if I flush the rules I can setup the firewall, forwarding etc, but I come back a day or so later and try to port forward I get this error

Bad argument `DNAT'

iptables -t nat -A PREROUTING -p udp --dport 8767 -i ${WAN} -j DNAT --to 192.168.0.7.


For example, I go

firewall ~ # iptables -t nat -A PREROUTING -p udp --dport 8767 -i ${WAN} -j DNAT --to 192.168.0.7
Bad argument `DNAT'
Try `iptables -h' or 'iptables --help' for more information.
firewall ~ #


If I flush the rules and tables it will allow me to add some rules for forwarding, but if I let it be a day or so can come back I will get this DNAT error again,

anyone have any ideas? It is annoying having to redo the firewall everytime I want to port forward.


Thanks In advance!!!!

Pock
 
Old 06-14-2008, 06:42 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
It would seem that your netfilter rules are being altered somehow. I can think of two possible causes: you have a cron job that is periodically flushing or otherwise altering the rules, or you have been hacked and the hacker is removing obstacles that interfere with his activities.
Maybe you can take a snapshot of your rule set, and have a cron job that runs every 10 minutes or so, comparing the rules at that instant with the saved rule set. Have it send you e-mail or somehow raise an alarm when it detects a change. At least that can help you narrow it down a bit.
--- rod.
 
Old 06-14-2008, 06:54 PM   #3
Eightpock
LQ Newbie
 
Registered: Jun 2008
Location: Peoria Illinois
Distribution: Gentoo
Posts: 9

Original Poster
Rep: Reputation: 0
Rod,


Thanks for the reply, I have not noticed any weird connections, and I keep things pretty much locked down... I had built a VM of gentoo with IPtables that wasn't connected to the internet it does the same thing. Once i have setup IPtables, port forwarded a few things, started and saved the IPtables config, if I come back a day later, my original changes are still intact I just cant make any new ones unless I flush everything?

Again thanks for the reply!


Pock
 
Old 06-14-2008, 06:57 PM   #4
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 126

Rep: Reputation: 20
IPtables

Hi there.
Good point from Rod.
I use a script for my iptables, you can read more about it in this thread:
http://www.linuxquestions.org/questi...arding-642107/

I hope this helps.

Regards,
Odinn Burkni
 
Old 06-15-2008, 12:38 PM   #5
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,466

Rep: Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620
Is it allowed to use "--to" instead of "--to-destination"? (Or is that a property of long options generic to all programs?)

Do you run the IPTables command from a script or command line? If from a script, run it as 'sh -x <scriptname>' to see your actual IPtables command and check if it is valid.

What value does the variable ${WAN} have? Did you check it? From the error message I get the idea DNAT is considered wrong and not what you try to DNAT.

If you are issuing this commands from the command line, why do you use {WAN} anyway?

jlinkels
 
Old 06-15-2008, 02:40 PM   #6
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
I made pretty much the same conclusion as jinkels. I inferred that DNAT was no longer a valid target, and therefore, the rules had been altered. That flushing and refreshing the rules seems to fix the problem, supports my hypothesis. However, jinkels also raises a valid question about the value of $WAN. If it evaluates to "", then it just might produce a commandline for iptables that confuses it enough to report errors in a misleading way. Since the value of WAN is set in the script you cited, it is not a given that it will be set in the shell you use to modify the rules. It might even be set, but have a different, nonsensical value.
To jinkels: Most firewall/router scripts tend to use variables for things which are named frequently in the script. It just makes maintenance, and readability in my opinion, easier. For a home DSL firewall, the variable names WAN & LAN are common.

--- rod.
 
Old 06-16-2008, 05:21 AM   #7
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,466

Rep: Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620
Quote:
Originally Posted by theNbomr View Post
To jinkels: Most firewall/router scripts tend to use variables for things which are named frequently in the script. It just makes maintenance, and readability in my opinion, easier. For a home DSL firewall, the variable names WAN & LAN are common.
I know that, I do that myself as well. It was not clear to me if the OP uses a script for setting his iptables or that he issues this from the command line. If he uses a script, he should run the script in debug mode to see what the exact parameters to iptables are. (and 9 times out of 10 the error becomes apparent) Also, if he uses a script, $WAN might be set inside the script (as I do myself) or outside in the shell.

But I doubt he is using a script, because he says that he reloads the config. Besides, usually you start an IPTables script with flushing all rules. And that he does not do because flushing seems to be a workaround.

However, when no script is used, I have my doubts about the value of $WAN

jlinkels
 
Old 06-16-2008, 06:37 AM   #8
Eightpock
LQ Newbie
 
Registered: Jun 2008
Location: Peoria Illinois
Distribution: Gentoo
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for the replies everyone. I make installed/ make adjustments via command line. I followed the Gentoo Home Router guide, and than made some other security adjustments after that. It uses that WAN instance. I been using Gentoo for years, but fairly new with the whole router business... Should forwarding be done with a different series of commands?


I appreciate the time and replies.


Thanks

Pock
 
Old 06-16-2008, 09:31 AM   #9
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,466

Rep: Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620Reputation: 620
Ok, first check this:
Code:
echo $WAN
Most likely it returns an empty string, which is incorrect. If you substitute the correct interface name instead of $WAN it will most likely be accepted.

My preferred way is to build a bash script with all IPtables commands. Starting with flushing all rules. Once you have this script file, it is easier to read and maintain than using separate commands and query iptables for the current status. That becomes really confusing and happens really very fast.

In the script you are able to define all applicable variables like your interfaces, ip addresses etc.

This is a good tutorial with a number of good examples at the end. http://iptables-tutorial.frozentux.n...-tutorial.html There are many more examples though, find one which suits you.

jlinkels
 
Old 06-16-2008, 10:36 AM   #10
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally Posted by jlinkels View Post
My preferred way is to build a bash script with all IPtables commands. Starting with flushing all rules. Once you have this script file, it is easier to read and maintain than using separate commands and query iptables for the current status. That becomes really confusing and happens really very fast.
jlinkels
I second that. Most tools that create firewalls with a GUI interface produce just such a script. Similarly, there are canned packages of iptables-scripted firewalls. It is not uncommon to set these up as system services, and whenever a modification is made, the whole firewall/router system is re-started, rather than having small changes made on-the-fly.

That being said, I don't think your one added rule will completely perform the forwarding functionality. That rule will transform the packet in way that would reach its correct destination, but would not actually get it sent. To do that, you need to add the appropriate rule to the FORWARD chain:
Code:
iptables -A FORWARD -p udp -i ${WAN} -d 192.168.0.7 --dport 8767 -j ACCEPT
(untested, as you may imagine).

--- rod.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
message sending failed : Error[22 ] invalid argument .....but each and every argument rakeshranjanjha Linux - Software 2 01-07-2008 11:22 PM
Iptables-restore +script error: bad argument COMMIT xorl Linux - Server 4 06-24-2007 09:50 AM
"iptables: No chain/target/match by that name" error PennyroyalFrog Linux - Security 2 11-28-2004 01:57 PM
bad argument 'iptables' gpamkenny Linux - Newbie 4 10-29-2004 10:25 AM
Bad Argument '53' IPtables doesn't run and has no bash debug lines? piratebiter Linux - Security 3 09-02-2003 10:18 AM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration