LinuxQuestions.org - netstat-nat doesnt work ?

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - netstat-nat doesnt work ? (https://www.linuxquestions.org/questions/linux-software-2/netstat-nat-doesnt-work-4175503334/)

netstat-nat doesnt work ?

I have installed netstat-nat in Ubuntu 12.04.3 LTS.

Code:

sudo apt-get install netstat-nat

However, it does not really works to me.

Code:

# netstat-nat

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

netfilter/iptables is enabled in my system.
All modules required for NAT are loaded. It is a NAT box.
So, why netstat-nat doesnt work for me ?

Did you run?

Quote:

modprobe iptable
modprobe iptable_nat

I think I have written quite clear that it is NAT box (that means it already acts as a NAT box).

Quote:

All modules required for NAT are loaded. It is a NAT box.

Secondly I think you ask for ip_tables and nf_nat_ipv4/iptable_nat modules instead of iptables and iptables_nat ?

Check status of your ufw

Quote:

service ufw status

It may be Inactive.
Enable it using

Quote:

service ufw enable

Now run
netstat-nat command again.
You will not get the error instead of it will give

Quote:

Proto NATed Address Destination Address State

Hi, thanks for reply.
It seems that the service is already running:

Code:

# service ufw status

ufw start/running

Check the module in the directory
/lib/modules
Here you will find a directory of your kernel version, if you find more than one directory and you do not know where to go, run command

Quote:

uname -r

Output will be your directory name, now open it. Now go to kernel/net/ipv4/netfilter
if you are using ipv6, open kernel/net/ipv6/netfilter
Here you can see the list of modules. Find the netfilter module name.ko file and enable it for kernel.

Quote:

# modprobe modulename

Run the command.

I dont think there exists any module dedicated specifically for netstat-nat.
As I written already NAT itself works.

Nevertheless this is list of modules in my /lib/modules/3.8.0-33-generic/kernel/net/ipv4/netfilter

Code:

# ls -al

total 320

drwxr-xr-x 2 root root  4096 Nov 18 10:56 .

drwxr-xr-x 3 root root  4096 Nov 18 10:56 ..

-rw-r--r-- 1 root root  6568 Oct 24  2013 arptable_filter.ko

-rw-r--r-- 1 root root 34848 Oct 24  2013 arp_tables.ko

-rw-r--r-- 1 root root  5608 Oct 24  2013 arpt_mangle.ko

-rw-r--r-- 1 root root  7248 Oct 24  2013 iptable_filter.ko

-rw-r--r-- 1 root root  7144 Oct 24  2013 iptable_mangle.ko

-rw-r--r-- 1 root root  9816 Oct 24  2013 iptable_nat.ko

-rw-r--r-- 1 root root  6408 Oct 24  2013 iptable_raw.ko

-rw-r--r-- 1 root root  6632 Oct 24  2013 iptable_security.ko

-rw-r--r-- 1 root root 39648 Oct 24  2013 ip_tables.ko

-rw-r--r-- 1 root root  5000 Oct 24  2013 ipt_ah.ko

-rw-r--r-- 1 root root 18792 Oct 24  2013 ipt_CLUSTERIP.ko

-rw-r--r-- 1 root root  6696 Oct 24  2013 ipt_ECN.ko

-rw-r--r-- 1 root root  7608 Oct 24  2013 ipt_MASQUERADE.ko

-rw-r--r-- 1 root root  8520 Oct 24  2013 ipt_REJECT.ko

-rw-r--r-- 1 root root  6552 Oct 24  2013 ipt_rpfilter.ko

-rw-r--r-- 1 root root 14776 Oct 24  2013 ipt_ULOG.ko

-rw-r--r-- 1 root root 23200 Oct 24  2013 nf_conntrack_ipv4.ko

-rw-r--r-- 1 root root  6088 Oct 24  2013 nf_defrag_ipv4.ko

-rw-r--r-- 1 root root 15616 Oct 24  2013 nf_nat_h323.ko

-rw-r--r-- 1 root root 11136 Oct 24  2013 nf_nat_ipv4.ko

-rw-r--r-- 1 root root  7640 Oct 24  2013 nf_nat_pptp.ko

-rw-r--r-- 1 root root  6536 Oct 24  2013 nf_nat_proto_gre.ko

-rw-r--r-- 1 root root 19104 Oct 24  2013 nf_nat_snmp_basic.ko

We do not need the module for netstat-nat
The error is

Quote:

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

netfilter should be enabled in kernel or by modules
We need to enable the netfilter module in kernel to remove the error.
Enable the modules which are related to netfilter. We have to enable the module nf_nat or similar one.
Use modprobe. modprobe is a command (program) to add and remove modules from the Linux Kernel.

Hi, I am not sure if you have a good understanding of my problem.
My NAT works correctly. This means all netfilter modules are loaded.

What makes then you to think that some modules are missing ?

Still having trouble... any clues?

Code:

root@x301:/lib/modules/3.13.0-27-generic/kernel/net/ipv4/netfilter# ufw status

WARN: Duplicate profile 'Apache', using last found

WARN: Duplicate profile 'Apache Secure', using last found

WARN: Duplicate profile 'Apache Full', using last found

Status: inactive

root@x301:/lib/modules/3.13.0-27-generic/kernel/net/ipv4/netfilter# ufw enable

WARN: Duplicate profile 'Apache', using last found

WARN: Duplicate profile 'Apache Secure', using last found

WARN: Duplicate profile 'Apache Full', using last found

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y

Firewall is active and enabled on system startup

root@x301:/lib/modules/3.13.0-27-generic/kernel/net/ipv4/netfilter# ufw status

WARN: Duplicate profile 'Apache', using last found

WARN: Duplicate profile 'Apache Secure', using last found

WARN: Duplicate profile 'Apache Full', using last found

Status: active

root@x301:/lib/modules/3.13.0-27-generic/kernel/net/ipv4/netfilter# netstat-nat

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

root@x301:/lib/modules/3.13.0-27-generic/kernel/net/ipv4/netfilter#

Many thanks.

Run command

Quote:

modprobe nf_nat

Attachment 15633

no joy !!!!
I really do appreciate you looking into this.

Code:

root@x301:~# netstat-nat

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

root@x301:~# modprobe nf_nat

root@x301:~# netstat-nat

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

root@x301:~# lsmod

root@x301:~# lsmod

Module                  Size  Used by

pci_stub              12622  1

vboxpci                23194  0

vboxnetadp            25670  0

vboxnetflt            27613  1

vboxdrv              339502  5 vboxnetadp,vboxnetflt,vboxpci

cuse                  13445  3

ipt_MASQUERADE        12880  1

xt_REDIRECT            12757  1

xt_nat                12681  5

xt_tcpudp              12884  6

iptable_nat            13011  1

nf_conntrack_ipv4      15012  1

nf_defrag_ipv4        12758  1 nf_conntrack_ipv4

nf_nat_ipv4            13263  1 iptable_nat

nf_nat                21798  5 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,xt_REDIRECT,iptable_nat

nf_conntrack          96976  5 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4

ip_tables              27239  1 iptable_nat

x_tables              34059  5 ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_nat,xt_REDIRECT

bnep                  19624  2

rfcomm                69160  0

bluetooth            395423  10 bnep,rfcomm

snd_hda_codec_realtek    61438  1

snd_hda_intel          52355  3

snd_hda_codec        192906  2 snd_hda_codec_realtek,snd_hda_intel

snd_hwdep              13602  1 snd_hda_codec

snd_pcm              102099  2 snd_hda_codec,snd_hda_intel

snd_page_alloc        18710  2 snd_pcm,snd_hda_intel

snd_seq_midi          13324  0

snd_seq_midi_event    14899  1 snd_seq_midi

snd_rawmidi            30144  1 snd_seq_midi

snd_seq                61560  2 snd_seq_midi_event,snd_seq_midi

kvm_amd                59987  0

radeon              1514165  2

kvm                  451511  1 kvm_amd

snd_seq_device        14497  3 snd_seq,snd_rawmidi,snd_seq_midi

snd_timer              29482  2 snd_pcm,snd_seq

serio_raw              13462  0

snd                    69238  16 snd_hda_codec_realtek,snd_hwdep,snd_timer,snd_pcm,snd_seq,snd_rawmidi,snd_hda_codec,snd_hda_intel,snd_seq_device,snd_seq_midi

edac_core              62291  0

ttm                    85115  1 radeon

drm_kms_helper        52758  1 radeon

edac_mce_amd          22617  0

k10temp                13126  0

soundcore              12680  1 snd

drm                  302817  4 ttm,drm_kms_helper,radeon

sp5100_tco            13979  0

i2c_piix4              22155  0

parport_pc            32701  0

i2c_algo_bit          13413  1 radeon

ppdev                  17671  0

shpchp                37032  0

lp                    17759  0

parport                42348  3 lp,ppdev,parport_pc

mac_hid                13205  0

wmi                    19177  0

pata_acpi              13038  0

via_velocity          42511  0

ahci                  25819  7

crc_ccitt              12707  1 via_velocity

pata_atiixp            13271  0

atl1c                  46086  0

libahci                32168  1 ahci

floppy                69418  0

root@x301:~#

Did anyone come up with a solution here? I have the same scenario with a brand-new build of Ubuntu 14.04.

Code:

root@sprf1:/etc/init.d# lsmod | grep nat

xt_nat                12681  6 

iptable_nat            13011  1 

nf_nat_ipv4            13263  1 iptable_nat

ip_tables              27239  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw

x_tables              34059  15 xt_dscp,xt_mark,xt_length,xt_recent,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,xt_mac,xt_nat,iptable_filter,ipt_REJECT,xt_REDIRECT,iptable_mangle,iptable_raw

nf_nat_ftp            12770  0 

nf_nat                21841  6 nf_nat_ftp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,xt_REDIRECT,iptable_nat

nf_conntrack_ftp      18638  1 nf_nat_ftp

nf_conntrack          96976  8 nf_nat_ftp,ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,iptable_nat,nf_conntrack_ipv4

root@sprf1:/etc/init.d#

So you can see that nf_nat, iptables_nat are both loaded.

Code:

root@sprf1:/etc/init.d# netstat-nat

Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

Yet it doesn't work...

iptables -t nat -L produces expected output, and nat traffic is flowing. I've tried this with both a MASQ rule and a SNAT rule to no avail.

I ran into similar problem on ubuntu 14.04. After digging a bit I figured it's because /proc/net/ip_conntrack is removed (or say deprecated)

simply execute:

strace -f netstat-nat

there are two entries like:
open("/proc/net/nf_conntrack", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/net/ip_conntrack", O_RDONLY) = -1 ENOENT (No such file or directory)

then comes the failure messages:
write(1, "Could not read info about connec"..., 111Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.
) = 111

so it is obvious the netstat-nat in apt repository is still using the old proc file, which causes the problem on my server.

Using conntrack instead solves the problem. Hope it helps people who still are confused.