RH 8.0 gateway and iptables

Hello all,

If a machine was configured to do packet filtering through iptables and
then the kernel was recompiled in such a way the iptables support might
have been broken would this affect simple ip masquerading?

First I would like to know wheter my attempt at ip maquerading itself as
described below is adequate.
I am faced with a RH 8.0 based install with a recompiled kernel (to
accomodate a PCI based ADSL card) and it is not clear what other system
tools and libraries were upgraded at this point.
This is to serve as a gateway (named Gateway :-)
Also this machine should not be rebooted.

-----------------------------
[root@Gateway root]# uname -r
2.4.21-pre5
[root@Gateway root]# iptables --version
iptables v1.2.7a
[root@Gateway root]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --host=i386-redhat-linux --with-system-zlib
--enable-__cxa_atexit
Thread model: posix
gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
[root@Gateway root]# ld -v
GNU ld version 2.13.90.0.2 20020802
[root@Gateway root]#
[root@Gateway root]# cat /proc/sys/net/ipv4/ip_forward
1
root@Gateway root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:40:63:C0:B8:2A
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2935 errors:0 dropped:0 overruns:0 frame:0
TX packets:460 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:317105 (309.6 Kb) TX bytes:56110 (54.7 Kb)
Interrupt:11 Base address:0xe800
[root@Gateway root]#
[root@Gateway root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
212.104.130.141 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 212.104.130.141 0.0.0.0 UG 0 0 0
ppp0
-----------------------------

Now there is a Debian install on a machine inside (Client) which
desperately wants to connect to the internet.
-----------------------------
[root@Client root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:A4:FE:7D:1E
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:463 errors:0 dropped:0 overruns:0 frame:0
TX packets:2950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:58424 (57.0 KiB) TX bytes:316731 (309.3 KiB)
Interrupt:10 Base address:0x4800
[root@Client root]#
[root@Client root]#netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 40 0 0
eth0
-----------------------------

Unfortunately but interestingly the only public IP it can ping
successfully is Gateway's ppp0 interface's static IP ...regardless of
the setting at /proc/sys/net/ipv4/ip_forward
But any other ping to the outside world just hangs there ...but again
interestingly on the Gateway tcpdump outputs resolves the IP to the
correct domain name information (in this eg. it is the ISP's nameserver)
-----------------------------
[root@Gateway root]# tcpdump
tcpdump: listening on eth0
20:45:46.081030 arp who-has Gateway tell Client
20:45:46.081143 arp reply Gateway is-at 0:40:63:c0:b8:2a
20:45:46.081256 Client > resolver1.th.eclipse.net.uk: icmp: echo request
(DF)
20:45:47.072986 Client > resolver1.th.eclipse.net.uk: icmp: echo request
(DF)
20:45:48.073005 Client > resolver1.th.eclipse.net.uk: icmp: echo request
(DF)
.....

-----------------------------


Have I performed enough tests?
I am new to network trouble shooting.

TIA,

Ramanan

Some additional info below....

Ramanan wrote:
> Hello all,
>
> If a machine was configured to do packet filtering through iptables and
> then the kernel was recompiled in such a way the iptables support might
> have been broken would this affect simple ip masquerading?
>
> First I would like to know wheter my attempt at ip maquerading itself as
> described below is adequate.
> I am faced with a RH 8.0 based install with a recompiled kernel (to
> accomodate a PCI based ADSL card) and it is not clear what other system
> tools and libraries were upgraded at this point.
> This is to serve as a gateway (named Gateway :-)
> Also this machine should not be rebooted.
>
> -----------------------------
> [root@Gateway root]# uname -r
> 2.4.21-pre5
> [root@Gateway root]# iptables --version
> iptables v1.2.7a
> [root@Gateway root]# gcc -v
> Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2/specs
> Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
> --infodir=/usr/share/info --enable-shared --enable-threads=posix
> --disable-checking --host=i386-redhat-linux --with-system-zlib
> --enable-__cxa_atexit
> Thread model: posix
> gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
> [root@Gateway root]# ld -v
> GNU ld version 2.13.90.0.2 20020802
> [root@Gateway root]#
> [root@Gateway root]# cat /proc/sys/net/ipv4/ip_forward
> 1
> root@Gateway root]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:40:63:C0:B8:2A
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2935 errors:0 dropped:0 overruns:0 frame:0
> TX packets:460 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:317105 (309.6 Kb) TX bytes:56110 (54.7 Kb)
> Interrupt:11 Base address:0xe800
> [root@Gateway root]#
> [root@Gateway root]# netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 212.104.130.141 0.0.0.0 255.255.255.255 UH 0 0 0
> ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 212.104.130.141 0.0.0.0 UG 0 0 0
> ppp0
> -----------------------------
>
> Now there is a Debian install on a machine inside (Client) which
> desperately wants to connect to the internet.
> -----------------------------
> [root@Client root]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:10:A4:FE:7D:1E
> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:463 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2950 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:58424 (57.0 KiB) TX bytes:316731 (309.3 KiB)
> Interrupt:10 Base address:0x4800
> [root@Client root]#
> [root@Client root]#netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
> eth0
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 40 0 0
> eth0
> -----------------------------
>
> Unfortunately but interestingly the only public IP it can ping
> successfully is Gateway's ppp0 interface's static IP ...regardless of
> the setting at /proc/sys/net/ipv4/ip_forward
> But any other ping to the outside world just hangs there ...but again
> interestingly on the Gateway tcpdump outputs resolves the IP to the
> correct domain name information (in this eg. it is the ISP's nameserver)
> -----------------------------
> [root@Gateway root]# tcpdump
> tcpdump: listening on eth0
> 20:45:46.081030 arp who-has Gateway tell Client
> 20:45:46.081143 arp reply Gateway is-at 0:40:63:c0:b8:2a
> 20:45:46.081256 Client > resolver1.th.eclipse.net.uk: icmp: echo request
> (DF)
> 20:45:47.072986 Client > resolver1.th.eclipse.net.uk: icmp: echo request
> (DF)
> 20:45:48.073005 Client > resolver1.th.eclipse.net.uk: icmp: echo request
> (DF)
> ....
>
> -----------------------------
>
>
> Have I performed enough tests?
> I am new to network trouble shooting.

[root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@Gateway root]#
[root@Gateway root]#
[root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@Gateway root]#
[root@Gateway root]#
[root@Gateway root]# iptables --list
iptables v1.2.7a: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@Gateway root]#
[root@Gateway root]#
[root@Gateway root]# /etc/init.d/iptables stop
Flushing all chains:iptables v1.2.7a: can't initialize iptables table
`filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[FAILED]
Removing user defined chains:iptables v1.2.7a: can't initialize iptables
table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[FAILED]
Resetting built-in chains to the default ACCEPT policy: [ OK ]
-----------------------------
This [ OK ] does not change anything though w.r.t Client connecting to
the internet.

Rgds,

Ramanan

Continuing with where I left off :-) I found out that one needs to set a
security option re:ip forwarding on a system configuration file too.
On RH > 8.0

/etc/sysctl.conf
....
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
....

Still no success.
Then checking the kernel (2.4.21-pre5) config I noticed that
Under TCP/IP there is no support for 'IP : Advanced router'!
The correcpondig help feature at menuconfig mentions that /proc fs and
Sysctl support should be enabled.

Before I go ahead recompiling the kernel on a slow machine ....
is there any other suggestions?
Could I simply fix the error due to iptablesmore easily?

TIA,

Ramanan

Ramanan wrote:
> Some additional info below....
>
> Ramanan wrote:
>
>> Hello all,
>>
>> If a machine was configured to do packet filtering through iptables
>> and then the kernel was recompiled in such a way the iptables support
>> might have been broken would this affect simple ip masquerading?
>>
>> First I would like to know wheter my attempt at ip maquerading itself
>> as described below is adequate.
>> I am faced with a RH 8.0 based install with a recompiled kernel (to
>> accomodate a PCI based ADSL card) and it is not clear what other
>> system tools and libraries were upgraded at this point.
>> This is to serve as a gateway (named Gateway :-)
>> Also this machine should not be rebooted.
>>
>> -----------------------------
>> [root@Gateway root]# uname -r
>> 2.4.21-pre5
>> [root@Gateway root]# iptables --version
>> iptables v1.2.7a
>> [root@Gateway root]# gcc -v
>> Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2/specs
>> Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
>> --infodir=/usr/share/info --enable-shared --enable-threads=posix
>> --disable-checking --host=i386-redhat-linux --with-system-zlib
>> --enable-__cxa_atexit
>> Thread model: posix
>> gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
>> [root@Gateway root]# ld -v
>> GNU ld version 2.13.90.0.2 20020802
>> [root@Gateway root]#
>> [root@Gateway root]# cat /proc/sys/net/ipv4/ip_forward
>> 1
>> root@Gateway root]# ifconfig eth0
>> eth0 Link encap:Ethernet HWaddr 00:40:63:C0:B8:2A
>> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:2935 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:460 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:317105 (309.6 Kb) TX bytes:56110 (54.7 Kb)
>> Interrupt:11 Base address:0xe800
>> [root@Gateway root]#
>> [root@Gateway root]# netstat -nr
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window
>> irtt Iface
>> 212.104.130.141 0.0.0.0 255.255.255.255 UH 0 0
>> 0 ppp0
>> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> 0 lo
>> 0.0.0.0 212.104.130.141 0.0.0.0 UG 0 0
>> 0 ppp0
>> -----------------------------
>>
>> Now there is a Debian install on a machine inside (Client) which
>> desperately wants to connect to the internet.
>> -----------------------------
>> [root@Client root]# ifconfig eth0
>> eth0 Link encap:Ethernet HWaddr 00:10:A4:FE:7D:1E
>> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:463 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:2950 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:58424 (57.0 KiB) TX bytes:316731 (309.3 KiB)
>> Interrupt:10 Base address:0x4800
>> [root@Client root]#
>> [root@Client root]#netstat -nr
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window
>> irtt Iface
>> 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0
>> 0 eth0
>> 0.0.0.0 192.168.0.1 0.0.0.0 UG 40 0
>> 0 eth0
>> -----------------------------
>>
>> Unfortunately but interestingly the only public IP it can ping
>> successfully is Gateway's ppp0 interface's static IP ...regardless of
>> the setting at /proc/sys/net/ipv4/ip_forward
>> But any other ping to the outside world just hangs there ...but again
>> interestingly on the Gateway tcpdump outputs resolves the IP to the
>> correct domain name information (in this eg. it is the ISP's nameserver)
>> -----------------------------
>> [root@Gateway root]# tcpdump
>> tcpdump: listening on eth0
>> 20:45:46.081030 arp who-has Gateway tell Client
>> 20:45:46.081143 arp reply Gateway is-at 0:40:63:c0:b8:2a
>> 20:45:46.081256 Client > resolver1.th.eclipse.net.uk: icmp: echo
>> request (DF)
>> 20:45:47.072986 Client > resolver1.th.eclipse.net.uk: icmp: echo
>> request (DF)
>> 20:45:48.073005 Client > resolver1.th.eclipse.net.uk: icmp: echo
>> request (DF)
>> ....
>>
>> -----------------------------
>>
>>
>> Have I performed enough tests?
>> I am new to network trouble shooting.
>
>
> [root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> [root@Gateway root]#
> [root@Gateway root]#
> [root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> [root@Gateway root]#
> [root@Gateway root]#
> [root@Gateway root]# iptables --list
> iptables v1.2.7a: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> [root@Gateway root]#
> [root@Gateway root]#
> [root@Gateway root]# /etc/init.d/iptables stop
> Flushing all chains:iptables v1.2.7a: can't initialize iptables table
> `filter': iptables who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> [FAILED]
> Removing user defined chains:iptables v1.2.7a: can't initialize iptables
> table `filter': iptables who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> [FAILED]
> Resetting built-in chains to the default ACCEPT policy: [ OK ]
> -----------------------------
> This [ OK ] does not change anything though w.r.t Client connecting to
> the internet.
>
> Rgds,
>
> Ramanan
>

[followup-to set]
In article <3F5A09AC.9070503@uklinux.net>, Ramanan wrote:
> Before I go ahead recompiling the kernel on a slow machine ....

(Why not compile it on a faster machine, then copy it over?)

> is there any other suggestions?

Please don't top-post.

> Could I simply fix the error due to iptablesmore easily?

You definitely do have a broken kernel.

>>> If a machine was configured to do packet filtering through iptables
>>> and then the kernel was recompiled in such a way the iptables support
>>> might have been broken would this affect simple ip masquerading?

If you don't have the ip_tables and iptable_nat drivers, you cannot do
NAT of any kind. Further if you lack the ipt_MASQUERADE driver, you
cannot do masquerading. Each table and each special target within a
table (other than ACCEPT or DROP) requires a driver.

>>> I am faced with a RH 8.0 based install with a recompiled kernel (to
>>> accomodate a PCI based ADSL card)

Do you know for a fact that the only way to run this card was to build a
more recent kernel? Did you try "modprobe $DRIVER"? What was the driver
you built in? Was it only available in a patch, or an important bugfix
only in a pre-* kernel?

If you must build a kernel, begin with your distro's kernel config as a
template. The kernel's built-in defaults leave out a lot of stuff that
distro kernel builders put in. Copy their config file to .config in the
top level of the kernel source tree you're using. Read the help items,
and if you're unsure, do not change any settings.

A common mistake of inexperienced people is to advise those with even
less experience to compile a custom kernel. In many cases a simple
modprobe command would have solved the problem. Yes, there are reasons
why one might choose to customise a kernel, but if you start with bad
default values and you do not know what you're doing, you're certain to
make a big mess of things.

>>> and it is not clear what other
>>> system tools and libraries were upgraded at this point.

You don't know what you have upgraded?

>>> root@Gateway root]# ifconfig eth0
>>> eth0 Link encap:Ethernet HWaddr 00:40:63:C0:B8:2A
>>> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0

I don't use PPPoE, but it's my understanding that the Ethernet interface
would not need an IP. Maybe you're using one NIC as both internal and
external interface? I don't know if that can be done. (Surely someone
else here knows.)

>>> Unfortunately but interestingly the only public IP it can ping
>>> successfully is Gateway's ppp0 interface's static IP ...regardless of

Unfortunate perhaps, but not surprising. Without NAT there's no way for
anything to come back to a private IP.

>>> Have I performed enough tests?

Too many. :) The problem is here:

>> [root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That should be the external interface, ppp0 ...

>> iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
>> (do you need to insmod?)

.... but of course, lacking kernel support, even correct iptables rules
will fail.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Ramanan wrote:
> Continuing with where I left off :-) I found out that one needs to set a
> security option re:ip forwarding on a system configuration file too.
> On RH > 8.0
>
> /etc/sysctl.conf
> ...
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
> ...
>
> Still no success.

Did you run "sysctl -p" after making the change?

> Then checking the kernel (2.4.21-pre5) config I noticed that
> Under TCP/IP there is no support for 'IP : Advanced router'!
> The correcpondig help feature at menuconfig mentions that /proc fs and
> Sysctl support should be enabled.

Are you trying to build a router or just be able to use iptables?

> Before I go ahead recompiling the kernel on a slow machine ....
> is there any other suggestions?
> Could I simply fix the error due to iptablesmore easily?

Redhat 8.0 should already have iptables support in the kernel. I
don't use redhat but you should check to see that ipchains isn't
running and disable ipchains if it is running.

hint:
# ntsysv

Then kill ipchains if it is running.

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3
Uptime: 7 days, 17:19, 1 user, load average: 0.12, 0.14, 0.19

David wrote:
> Ramanan wrote:
>
>> Continuing with where I left off :-) I found out that one needs to set
>> a security option re:ip forwarding on a system configuration file too.
>> On RH > 8.0
>>
>> /etc/sysctl.conf
>> ...
>> # Controls IP packet forwarding
>> net.ipv4.ip_forward = 1
>> ...
>>
>> Still no success.
>
>
> Did you run "sysctl -p" after making the change?

No. Thanks for the info.

Now I have done it this is what is out put

[root@Gateway linux]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
error: 'kernel.sysrq' is an unknown key
kernel.core_uses_pid = 1

>
>> Then checking the kernel (2.4.21-pre5) config I noticed that
>> Under TCP/IP there is no support for 'IP : Advanced router'!
>> The correcpondig help feature at menuconfig mentions that /proc fs and
>> Sysctl support should be enabled.
>
>
> Are you trying to build a router or just be able to use iptables?

I just want to connect Client to the internet via Gateway.
So probably there is no need for router.
If iptables can facilitate it it si enough for now.

BTW: I have another public IP address to use if the needs be. I would
prefer to avoid using it though.
>
>> Before I go ahead recompiling the kernel on a slow machine ....
>> is there any other suggestions?
>> Could I simply fix the error due to iptablesmore easily?
>
>
> Redhat 8.0 should already have iptables support in the kernel. I don't
> use redhat but you should check to see that ipchains isn't running and
> disable ipchains if it is running.
>
> hint:
> # ntsysv

This indicates only iptables in the list of service/daemons(s).
It was configured to be started at boot time. I changed this now.

No ipchains.

Only other related scripts started at boot time ate 'network', SSH, and
the script for the PCI ADSL card.
>
> Then kill ipchains if it is running.
It is not there ot be killed.

FYI the situation with iptables is as such,

[root@Gateway linux]# /etc/init.d/iptables stop
Flushing all chains:iptables v1.2.7a: can't initialize iptables table
`filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[FAILED]
Removing user defined chains:iptables v1.2.7a: can't initialize iptables
table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[FAILED]
Resetting built-in chains to the default ACCEPT policy: [ OK ]
[root@Gateway linux]# /etc/init.d/iptables start
[root@Gateway linux]# iptables --list
iptables v1.2.7a: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@Gateway linux]#make menuconfig
.....
doh! This machine has not got CONFIG_IP_NF_IPTABLES support compiled!

I just recompiled the kernel assumig the opposite ... it takes ages :-(

Have I spotted it ?

As they (CONFIG_IP_NF_CONNTRACK too is missing) are modular options
could I save some time here or should I start all over again?

Thanks In Advance,

Ramanan

Ramanan wrote:
>
> Now I have done it this is what is out put
>
> [root@Gateway linux]# sysctl -p
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 1
> error: 'kernel.sysrq' is an unknown key
> kernel.core_uses_pid = 1

Edit /etc/sysctl.conf and comment out the line that contains
"kernel.sysrq=" it will have a 0 or 1 after the "=".
Then run "sysctl -p" again.

> I just want to connect Client to the internet via Gateway.
> So probably there is no need for router.
> If iptables can facilitate it it si enough for now.

Ok you probably don't need advanced routing then.

> This indicates only iptables in the list of service/daemons(s).
> It was configured to be started at boot time. I changed this now.

Ok did you setup a firewall during the install? RedHat has a
firewall tool but I don't remember the name of it.

You might run "setup" and see if it lists it.

> doh! This machine has not got CONFIG_IP_NF_IPTABLES support compiled!

That could be, maybe redhat forgot an option in the kernel config.

> Have I spotted it ?

Is there a newer kernel available from redhat? If the kernel
doesn't have "netfilter" (iptables) support then it needs it.

> As they (CONFIG_IP_NF_CONNTRACK too is missing) are modular options
> could I save some time here or should I start all over again?

Yes you will want CONNTRACK support and several of the other options.

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.0 Kernel 2.4.22 i686 (GCC) 3.3
Uptime: 7 days, 18:19, 1 user, load average: 0.23, 0.29, 0.26

/dev/rob0 wrote:
[...]

> Please don't top-post.
Apologies. You might catch me err more and please indicate.

>
>
>>Could I simply fix the error due to iptablesmore easily?
>
>
> You definitely do have a broken kernel.

Broken and tainted too.
I could not find a PCI ADSL card with free drivers...

>
>
>>>>If a machine was configured to do packet filtering through iptables
>>>>and then the kernel was recompiled in such a way the iptables support
>>>>might have been broken would this affect simple ip masquerading?
>
>
> If you don't have the ip_tables and iptable_nat drivers, you cannot do
> NAT of any kind. Further if you lack the ipt_MASQUERADE driver, you
> cannot do masquerading. Each table and each special target within a
> table (other than ACCEPT or DROP) requires a driver.
(Thanks)

>
>
>>>>I am faced with a RH 8.0 based install with a recompiled kernel (to
>>>>accomodate a PCI based ADSL card)
>
>
> Do you know for a fact that the only way to run this card was to build a
> more recent kernel? Did you try "modprobe $DRIVER"? What was the driver
> you built in? Was it only available in a patch, or an important bugfix
> only in a pre-* kernel?

....the driver comes with some object code (?) that has been compiled
against certain version of GCC. Possibly the binutils versions are also
an issue. I learn now that newer binutils can handle such software.
The kernel version was determined by PPPoATM support.

In the UK it is mainly PPPoATM. Sorry I should have mentioned this earlier.

[...]
>
>
>>>>and it is not clear what other
>>>>system tools and libraries were upgraded at this point.
>
>
> You don't know what you have upgraded?

That is the root of the problem. It was recompiled by someone else who
is not available.

>
>>>>root@Gateway root]# ifconfig eth0
>>>>eth0 Link encap:Ethernet HWaddr 00:40:63:C0:B8:2A
>>>> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
>
>
> I don't use PPPoE, but it's my understanding that the Ethernet interface

It is PPPoA for me .

> would not need an IP. Maybe you're using one NIC as both internal and
> external interface? I don't know if that can be done. (Surely someone
> else here knows.)

Yes through aliases one can achieve this effect but there is no such
need for me. (I have PCI card with PPPoA capable modem embedded in it.
The ppp0 interface has a static IP assigned to it.)
>
>
>>>>Unfortunately but interestingly the only public IP it can ping
>>>>successfully is Gateway's ppp0 interface's static IP ...regardless of
>
[...]

>
>>>>Have I performed enough tests?
>
>
> Too many. :) The problem is here:
>
>
>>>[root@Gateway root]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
>
> That should be the external interface, ppp0 ...

thanks.


>
>>>iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
>>>(do you need to insmod?)
>
>
> ... but of course, lacking kernel support, even correct iptables rules
> will fail.

[root@Gateway linux]# more .config
....
# IP: Netfilter Configuration
#
# CONFIG_IP_NF_CONNTRACK is not set
# CONFIG_IP_NF_QUEUE is not set
# CONFIG_IP_NF_IPTABLES is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
CONFIG_ATM=y
# CONFIG_ATM_CLIP is not set
# CONFIG_ATM_LANE is not set
# CONFIG_ATM_BR2684 is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
....

Do I need only two more drivers here (lines one and three) right?


Cheers,

Ramanan