# Iptables Packet Forwarding

## justincataldo

I'm trying to get iptables up and running so I can do masquerading and might even look into bandwidth limiting.

I've been following the Gentoo Iptables How To, and have enabled as modules in the kernel (2.6.23-r3).

```

aria ~ # grep -i netfilter /usr/src/linux/.config

CONFIG_NETFILTER=y

CONFIG_NETFILTER_DEBUG=y

# Core Netfilter Configuration

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_TRACE=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_U32=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

# IP: Netfilter Configuration

# IPv6: Netfilter Configuration (EXPERIMENTAL)

aria ~ # 

```

I make sure iptables is started:

```

aria ~ # /etc/init.d/iptables status

 * status:  started

aria ~ # 

```

Here's my script:

```

#!/bin/sh

IPTABLES=/sbin/iptables

EXTIF="eth0"

INTIF="eth1"

echo " IPTABLE program: $IPTABLES"

echo " External interface: $EXTIF"

echo " Internal interface: $INTIF"

echo -en " loading modules: "

echo " - Verifying that all kernel modules are ok"

/sbin/depmod -a

echo -en "iptables "

/sbin/insmod ip_tables

echo -en "ip_conntrack, "

/sbin/insmod ip_conntrack

echo -en "ip_conntrack_ftp, "

/sbin/insmod ip_conntrack_ftp

echo -en "iptable_nat, "

/sbin/insmod iptable_nat

echo -en "ip_nat_ftp, "

/sbin/insmod ip_nat_ftp

echo ". Done loading modules."

echo " enabling forwarding..."

echo "1" >/proc/sys/net/ipv4/ip_forward

echo " Clearing existing rules and setting default policy ..."

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

echo "  FWD: Allow all connections out and only existing and related ones in"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowing users through the firewall.

# Allow all intranet users to get access to the outside - BE VERY CAREFUL uncommenting any of these lines.

#$IPTABLES -A FORWARD -d ! 16.5.0.0/24 -i $INTIF -o $EXTIF -j ACCEPT

#echo " Done."

#echo " Loading host access permissions..."

#echo " Done "

echo " Host: Gentoo-Server"

# Allow Gentoo-Server to access outside.

$IPTABLES -A FORWARD -d ! 16.5.0.0/24 -s 16.5.80.70/24 -i $INTIF -o $EXTIF -j ACCEPT

echo " Permission Granted."

#Turn on logging for all forwarded packets

#$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -d ! 16.5.0.0/24 -j MASQUERADE

echo "Done"

```

Both network interfaces are up and running:

```

aria ~ # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:E0:4C:E5:78:90  

          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::2e0:4cff:fee5:7890/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2018 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1035 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:266812 (260.5 Kb)  TX bytes:145899 (142.4 Kb)

          Interrupt:16 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:E0:4C:FF:2E:BF  

          inet addr:16.5.80.70  Bcast:16.5.80.255  Mask:255.255.255.0

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:17 Base address:0x4000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:112 errors:0 dropped:0 overruns:0 frame:0

          TX packets:112 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:8544 (8.3 Kb)  TX bytes:8544 (8.3 Kb)

```

And here's an lsmod:

```
aria ~ # lsmod

Module                  Size  Used by

iptable_mangle          6272  0 

iptable_raw             5888  0 

ipt_REJECT              7168  0 

iptable_filter          6400  1 

ip_tables              14532  3 iptable_mangle,iptable_raw,iptable_filter

aria ~ # 

```

So that all looks good. But I get this response when I try to run the script:

```
aria ~ # .scripts/firewall 

 IPTABLE program: /sbin/iptables

 External interface: eth0

 Internal interface: eth1

 loading modules:  - Verifying that all kernel modules are ok

iptables insmod: can't read 'ip_tables': No such file or directory

ip_conntrack, insmod: can't read 'ip_conntrack': No such file or directory

ip_conntrack_ftp, insmod: can't read 'ip_conntrack_ftp': No such file or directory

iptable_nat, insmod: can't read 'iptable_nat': No such file or directory

ip_nat_ftp, insmod: can't read 'ip_nat_ftp': No such file or directory

. Done loading modules.

 enabling forwarding...

 Clearing existing rules and setting default policy ...

iptables v1.3.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

  FWD: Allow all connections out and only existing and related ones in

iptables: No chain/target/match by that name

 Host: Gentoo-Server

 Permission Granted.

 Enabling SNAT (MASQUERADE) functionality on eth0

iptables v1.3.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

Done

aria ~ # 

```

What am I missing here? What's with all the errors when running the script?

----------

## manaka

Seems you haven't selected the features under "IP: Netfilter Configuration". You should have something like this:

```

#

# IP: Netfilter Configuration

#

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_AH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_STEALTH=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

# CONFIG_NF_NAT_SNMP_BASIC is not set

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_IRC=m

CONFIG_NF_NAT_TFTP=m

CONFIG_NF_NAT_AMANDA=m

CONFIG_NF_NAT_PPTP=m

# CONFIG_NF_NAT_H323 is not set

# CONFIG_NF_NAT_SIP is not set

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_TTL=m

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

```

As for the errors loading the kernel modules, seems you are using the old names. They changed some versions ago (don't remember exactly which one  :Sad:  ). For example, ip_nat_ftp has changed to nf_nat_ftp.

----------

