# Problems with Iptables howto

## odioworks_com

I'm trying to get NAT working on my server... and well it's not.

I've followed this HOWTO to no avail:

https://forums.gentoo.org/viewtopic-t-159133-postdays-0-postorder-asc-highlight-iptables+howto-start-0.html

iptables is compiled into the kernel, but when I try to run the script included in the HOWTO:

```

 #!/bin/bash 

IPTABLES='/sbin/iptables' 

# Set interface values 

EXTIF='ppp0' 

INTIF1='eth1' 

INTIF2='eth2' 

# enable ip forwarding in the kernel 

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward 

                                                                                

# flush rules and delete chains 

$IPTABLES -F 

$IPTABLES -X 

                                                                                

# enable masquerading to allow LAN internet access 

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 

                                                                                

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF 

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT 

                                                                                

# forward LAN traffic from $INTIF2 to Internet interace $EXTIF 

$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT 

                                                                                

#echo -e "       - Allowing access to the SSH server" 

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT 

                                                                                

#echo -e "       - Allowing access to the HTTP server" 

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT 

                                                                                

# block out all other Internet access on $EXTIF 

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP 

$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP 

```

through the command /etc/init.d/iptables start

I get a series of errors, found here: http://www.odioworks.com/iptables.txt

Any ideas?

----------

## mens

remove the space in front of #!/bin/bash on line 1

----------

## peka

just guessing..

didn't try this howto yet...

but...

try:

```
echo $IPTABLES
```

to check if you have '/sbin/iptables' there

and see if you have '/sbin/iptables' at all

----------

## MrUlterior

Do as mens suggests (remove the space), if that's not it, post the results of:

```

whereis iptables

emerge -s iptables

```

To find the iptables bin & check that iptables is emerged.

If this still not the problem, then perhaps your iptables is compiled as kernel module and not loaded, in which case you might want to add something like:

```
for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do

   echo "Loading ${MODULE}"

   modprobe $MODULE

done

# (you'll need to check the above, only have access to an AIX box right now & there's no gnu egrep or find

# so I can't test the "-print %f" and 'egrep -o .... '

```

before your first use of the $IPTABLES var in your script. (note, if it works, it'll load all netfilter modules your kernel has built .. )

----------

## odioworks_com

Yah iptables is built into the kernel - not loaded.  I didn't realize this would be an issue.

I will try adding that script & get back to you.

FYI:

Once I removed the space I get this error:

http://odioworks.com/iptables.txt

And here is the output from whereis iptables:

http://odioworks.com/iptables2.txt

----------

## odioworks_com

would it be better for me to just recompile my kernel with this as modules & not built into it?

Also another tidbit of info that I forgot to include:

modprobe ip_tables returns error "FATAL: Module ip_tables not found"

----------

## MrUlterior

 *odioworks_com wrote:*   

> would it be better for me to just recompile my kernel with this as modules & not built into it?
> 
> Also another tidbit of info that I forgot to include:
> 
> modprobe ip_tables returns error "FATAL: Module ip_tables not found"

 

When you say built in; do you mean as a module or built into the kernel itself?

You can check with:

```
gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)"
```

----------

## odioworks_com

as far as I know it's built in directly to the kernel.

Here's the output from the command  

gzcat /proc/config.gz | egrep -i "(netfilter|ip_nf)"

http://www.odioworks.com/gzcat.txt

----------

## odioworks_com

hm..

I tried adding this code before $IPTABLES

```
for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do 

   echo "Loading ${MODULE}" 

   modprobe $MODULE 

done 
```

but I still get this error:

http://www.odioworks.com/iptables3.txt

----------

## MrUlterior

Did you remove the space before "#!/bin/bash" ?

----------

## odioworks_com

I did remove the space.

Here is my exact IP tables script.  Notice I commented out the code for the second internal interface (I only have one).

http://www.odioworks.com/iptables_code.txt

-s

----------

## odioworks_com

I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine.  Would this be the problem?

-s

----------

## throck

 *odioworks_com wrote:*   

> I noticed a line in the code refers to /proc/sys/net/ipv4/ip_forward - that file doesn't exist on my machine. 

 

Nope.  The ip_forward file is not a file on a real filesystem (as far as I understand it anyway).  It has to be created on each boot, which is why you have the line that says "echo 1 > /proc/sys/net/ipv4/ip_forward".  That essentially creates a text file containing the number "1" in it, which tells the kernel (or iptables) that forwarding should be enabled.  

The problem seems to be that the "#!/bin/bash" line, which tells the shell which program to use to execute this script, is the line giving the error.  For some reason it can't find /bin/bash.  Could be a permissions issue, although it's doubtful since you are probably using the bash shell currrently.  Unfortunately I can't help much more than that at this point.

----------

## odioworks_com

hmmmmmmmm

this could very well be related to a previous problem I had... I am embarassed to say

see:

https://forums.gentoo.org/viewtopic-t-320349-highlight-.html

I assumed the problem was fixed when I sucessfully re-emerged bash.

----------

## MrUlterior

 *odioworks_com wrote:*   

> hmmmmmmmm
> 
> this could very well be related to a previous problem I had... I am embarassed to say
> 
> see:
> ...

 

Lol! most likely, cat /bin/bash & see if its still your firewall script .... if it is, copy it somewhere, rm -f /bin/bash and re-emerge bash. Use the live cd if you need to.

----------

## odioworks_com

nah when I cat it - it's obviously /bin/bash.

I had re-emerged bash before starting this post - which I think fixed the problem.

So I'm still stuck here:

/etc/init.d/iptables

: No such file or directory

Maybe there's an easier way to set up iptables?  I heard about firehol but seemed more complicated then a straight script when I tried to use it.  Speaking of which - could the fact that I previously merged firehol and then unmerged it be a problem?

-s

----------

