# iptables don't work well

## Ezechiel

I have installed and configured everything right and everything work properly but after a restart of my Computer I must type these two lines in my console to connect my second Computer to the Internet ->

```
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx

echo 1 > /proc/sys/net/ipv4/ip_forward
```

But I don't want to type these two lines after every Restart how can I change this to an automatic configuration?

thx for help

----------

## de4d

write those lines to an ascii file, make it executable and link from /etc/rcX.d/SYnat to it (symbolic)

where X is your runlevel and Y is a 2 digit integer value

have phun

----------

## klieber

 *de4d wrote:*   

> write those lines to an ascii file, make it executable and link from /etc/rcX.d/SYnat to it (symbolic)
> 
> where X is your runlevel and Y is a 2 digit integer value

 

Uhhhh....this is Gentoo, right?   Gentoo doesn't use rcX.d runlevels.  You might want to read the Gentoo Linux Init System doc.

To answer the original question, there are a number of ways to do that.  The easiest might be to simply place those two lines in /etc/conf.d/local.start.  They will then be run each time the computer starts.

--kurt

----------

## Naan Yaar

BTW, the thread title is quite misleading.  I would suggest changing it to something that matches its primary focus.

----------

## de4d

 *klieber wrote:*   

> 
> 
> Uhhhh....

 

oops

in anyway i considered my system as 'running (too) well', and had no need to read *all* the docs.

good job ;)

----------

## Ezechiel

thx for help I tried it with /etc/conf.d/local.start but it don't run.

I wrote the two lines in the same way I have posted above in the local.start but on the startup of the system come a Error Message about the iptables Command.

----------

## Naan Yaar

Try giving the full path to iptables in your local script.  Also, it would be helpful to post the actual error message.

 *Ezechiel wrote:*   

> ...I wrote the two lines in the same way I have posted above in the local.start but on the startup of the system come a Error Message about the iptables Command.

 

----------

## Ezechiel

I don't have written a Script. I just added the Commands in the local.start

----------

## Naan Yaar

By script, I mean you local.start init script.

 *Ezechiel wrote:*   

> I don't have written a Script. I just added the Commands in the local.start

 

----------

## klieber

What Naan Yaar is saying is that, instead of using this:

```
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx
```

use this:

 *Quote:*   

> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xx.xxx.xxx

 

If that still doesn't work, please post the exact error message that you're receiving.

--kurt

----------

## Ezechiel

I tried it also with /sbin... but I get the same message:

```
"iptables v1.2.7a: Unkown arg '--to-source'

Try 'iptables -h' or 'iptables --help' for more information.

/sbin/runscript.sh: xxx.xx.xxx.xxx: command not found
```

----------

## klieber

 *Ezechiel wrote:*   

> 
> 
> ```
> "iptables v1.2.7a: Unkown arg '--to-source'
> 
> ...

 

Do you have NAT enabled in your kernel?  What is the output of:

```
cat /usr/src/linux/.config |grep NAT
```

--kurt

----------

## Naan Yaar

I think your iptables command line is split across two lines (going by the xxx.xx... in your "command not found message).  Edit your file using "nano -w" and make sure that you don't have a line break in the iptables command (and other) lines.

 *Ezechiel wrote:*   

> I tried it also with /sbin... but I get the same message:
> 
> ```
> "iptables v1.2.7a: Unkown arg '--to-source'
> 
> ...

 

----------

## HogRider

Ezechiel,

Let's start at the beginning,

    First, does this command function properly from the CLI?  With an explicit path? (/sbin/iptables)

     If so, are you certain you've duplicated it exactly in your /etc/conf.d/local.start? (the easiest way is [left mouse button] select & [center mouse button] paste)

     Next, check you are using the same executatable (As root, "which iptables")

If all of these factors are true, post your local.start.

BTW, what are you trying to accomplish with iptables?  You mention SNAT without any other rules.  I generally call a dedicated script to institute a full lockdown, followed by selective reopening of ports & services, which gives you optimal protection.

----------

## Ezechiel

The Problem was the Line Split   :Laughing: 

The IP Adress was in a different Line. Now everything works fine

thx for help @ll   :Very Happy: 

----------

## Eagle-Eye

Another solution is to add iptables to your default runlevel and enable ip-forwarding in /etc/conf.d/iptables. Then you can save all currently set netfilter-rules in a configuration file using iptables-save. These rules will then be loaded when the system boots.

```
rc-update add iptables default

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx

iptables-save > /var/lib/iptables/rules-save
```

----------

## klieber

 *Eagle-Eye wrote:*   

> Another solution is to add iptables to your default runlevel and enable ip-forwarding in /etc/conf.d/iptables. Then you can save all currently set netfilter-rules in a configuration file using iptables-save. These rules will then be loaded when the system boots.

 

This is a solution, but IMO, it's a bad one.  A firewall script should be fairly static, and always start from a known-good configuration.  When you do things the way that iptables-save does, you never really know what ruleset you're running unless you examine it each and every time you boot the computer.  

So, I certainly recommend against the "Gentoo Way" of using iptables-save to dynamically save the current ruleset on each reboot.  That's just my $.02.

--kurt

----------

## static

what do you mean? Doesn't 

```
iptables-save > /var/lib/iptables/rules-save
```

 save to rules-save, a  *Quote:*   

> fairly static known-good configuration

 ? How else do you keep your rulesets for a reboot? You surely don't put each rule into local.start...

----------

## klieber

 *static wrote:*   

> what do you mean? Doesn't 
> 
> ```
> iptables-save > /var/lib/iptables/rules-save
> ```
> ...

 

Running that command does, but the Gentoo way of controlling iptables also automatically overwrites that document each time you reboot the machine.  Thus, if you (or someone else) has put in a special iptables rule for testing or whatever reason and forget about it, that rule will forever be implemented in your ruleset.

Another thing I don't like about iptables-save is the format in which it saves the ruleset -- not very easy to follow, though perhaps that's just because I'm used to a different format.

 *static wrote:*   

> How else do you keep your rulesets for a reboot? You surely don't put each rule into local.start...

 

Nope -- you place them all in a script and run that script at start.  That's similar to what Gentoo does, with two key differences:

The script never gets modified unless you modify it.

You can write the script in whatever format/flow that makes the most sense to you.--kurt

----------

