# iptables problem

## MrSums

I am setting up a new server for my home. Everything works fine, except on boot I get an iptables error which suggests I use iptables-restore to correct the problem. However, this gives me the same error:

 *Quote:*   

> minitx ~ # iptables-restore < /var/lib/iptables/rules-save 
> 
> iptables-restore v1.4.0: iptables-restore: unable to initialize table 'nat'
> 
> Error occurred at line: 2
> ...

 

The contents of /var/lib/iptables/rules-save are:

 *Quote:*   

> # Generated by iptables-save v1.3.8 on Thu Nov  1 08:47:18 2007
> 
> *nat
> 
> :PREROUTING ACCEPT [29034:5302394]
> ...

 

What is wrong with line 2? Can anyone help?

Thanks

Robert

----------

## didymos

Are the required nat modules loaded?  Also, what happens when you add the masquerading rule yourself (flush the tables first, then re-add each rule)?

----------

## sf_alpha

may be you not have iptables nat modules loaded or existed.

Please try iptables-restore --verbose < xxx

----------

## jcat

Do you have a script you ran to set the rules initially?

If you do, maybe you should run it again to add the rules, then do a:

```
/etc/init.d/iptables save

/etc/init.d/iptables start
```

..and if it starts ok, just check it with a

```
/etc/init.d/iptables restart
```

If that doesn't get you going then yes it could be a modules issue I guess, did you build the iptables code as modules?

Try

```
modprobe ip_tables iptable_filter
```

Cheers,

jcat

----------

## MrSums

As this is designed to be a server, I compiled all the iptables stiff into the kernel. Does it make a difference if they are compiled as modules?

Robert

----------

## noobstate

 *MrSums wrote:*   

> I am setting up a new server for my home. Everything works fine, except on boot I get an iptables error which suggests I use iptables-restore to correct the problem. However, this gives me the same error:
> 
> Robert

 

i would recommend against using iptables-save to store all your firewall rules, they routinely get wiped

i would however recommend making a separate iptables script then adding it to init on boot

----------

## didymos

 *noobstate wrote:*   

> 
> 
> i would recommend against using iptables-save to store all your firewall rules, they routinely get wiped
> 
> 

 

Why not?  Just store a file called iptsave or something in a location that doesn't get wiped. All the command does is dump stuff to stdout.  Redirect at whim.

 *Quote:*   

> 
> 
> i would however recommend making a separate iptables script then adding it to init on boot

 

Not necessary; add all the rules you want then just do "/etc/init.d/iptables save && /etc/init.d/iptables start".  Works fine. Even with a complicated ruleset, once you've set it up, saving and restoring gets you the same end result.  To make changes: dump to a file, edit, restore from file.

----------

## noobstate

 *didymos wrote:*   

>  *noobstate wrote:*   
> 
> i would recommend against using iptables-save to store all your firewall rules, they routinely get wiped
> 
>  
> ...

 

hmm i didint know u could call a file/script with rules from the daemon. i tried the commands u wrote, but always sooner or later somehow (bad boot updates) it would wipe all the rules. so i since have only made a script made it executable set root permissions stuck it in /etc/init.d/ and added it to init upon boot after eth0 

never had a problem with it that way

using iptables to store and load the rules always sooner or later would make the rules disappear

----------

## jcat

One bonus of using a script is that you can establish your rules even if the iptables daemon can't/isn't running for any reason.  Just run the script!   :Cool: 

Cheers,

jcat

----------

## jcat

 *MrSums wrote:*   

> As this is designed to be a server, I compiled all the iptables stiff into the kernel. Does it make a difference if they are compiled as modules?
> 
> Robert

 

There isn't much difference, and compiling into the kernel means you don't have to load the modules explicitly.

Cheers,

jcat

----------

## MrSums

 *jcat wrote:*   

> There isn't much difference, and compiling into the kernel means you don't have to load the modules explicitly.
> 
> Cheers,
> 
> jcat

 

So why can't I get it to work still? - can someone point me in the direction of the changes required since previous kernel? I have obviously missed something, although I thought I had ticked all the right boxes in the kernel compilation

Many thanks

Robert

----------

## Hu

 *jcat wrote:*   

> One bonus of using a script is that you can establish your rules even if the iptables daemon can't/isn't running for any reason.  Just run the script!  
> 
> Cheers,
> 
> jcat

 

There is no iptables daemon.  The script is just in init.d because that makes it easy for baselayout to interact with it cleanly.  Keeping your rules in a separate script makes the load non-atomic, which can make quite a mess if your allow rules fail to load and your deny rules load successfully.  If the rules are loaded by the initscript, then they all load or fail at once.

noobstate: what update erased your rules?  Where did you save them?  Did you configure the system to save state at shutdown?

MrSums: what is the output of uname -r ; zgrep -E '^[^#]' /proc/config.gz?

----------

## MrSums

 *Hu wrote:*   

> MrSums: what is the output of uname -r ; zgrep -E '^[^#]' /proc/config.gz?

 

Output is below - I think the only change is that I tried to compile this kernel with nf_nat as a module (but still doesn't work). Previously I had it compiled into the kernel

Thanks

Robert

 *Quote:*   

> 2.6.22.9
> 
> CONFIG_X86_32=y
> 
> CONFIG_GENERIC_TIME=y
> ...

 

----------

## jcat

 *Hu wrote:*   

>  *jcat wrote:*   One bonus of using a script is that you can establish your rules even if the iptables daemon can't/isn't running for any reason.  Just run the script!  
> 
> Cheers,
> 
> jcat 
> ...

 

You have completely missed the point of my post.

Yes, obviously you let the iptables "init script" (if you want to be pedantic) manage establishing your rules on boot and saving them on shutdown (or whatever), but when you initially set-up your rules (when you first configure iptables on that particular host) it's good practice to use a script.  This is a well established concept.

The iptables-save file format is not quite the same as the same as the raw iptables commands you would pass at the cli.  It's good practice to have it in a form that can be passed by a standard interpretor.

Cheers,

jcat

----------

## gsoe

Well, I don't see any CONFIG_NF_NAT in that kernel config...

----------

## Hu

 *jcat wrote:*   

> 
> 
> You have completely missed the point of my post.
> 
> Yes, obviously you let the iptables "init script" (if you want to be pedantic) manage establishing your rules on boot and saving them on shutdown (or whatever), but when you initially set-up your rules (when you first configure iptables on that particular host) it's good practice to use a script.  This is a well established concept.
> ...

 

No, I understood it perfectly.  I happen to disagree.

I prefer to be pedantic.  It ensures that my posts are clear to the widest possible audience.

Aside from the table specifications, the format of the iptables-save output is sufficiently similar that it is quite possible to write the rules by directly editing such a file and then feeding it back in to iptables-restore.  To get the table specification correct, it is sufficient to run iptables-save to get a template to modify.

----------

## didymos

 *gsoe wrote:*   

> Well, I don't see any CONFIG_NF_NAT in that kernel config...

 

In fact, I don't see much at all.  Most of the match targets aren't enabled, none of the NAT options are there, masquerading isn't enabled (consequence of no NAT, but you're specifically trying to do masquerading...), et cetera.  Personally, I prefer to build all (or actually most of; some features I know I'll never use) the iptables stuff as modules, and then just let them be loaded as needed.  It makes it easier to diagnose things ---- rule not working? lsmod; ah, missing module ---- and correct problems like yours.  If you forget to build a module, just enable it and run "make modules modules_install && modprobe <xxx>"; no need to rebuild the kernel image or reboot until you actually change something configured as a built-in.  If you don't want the feature anymore, disable it, delete the module, and maybe run rmmod.

In this case, you could just enable the missing stuff as modules w/o changing the rest of the iptables stuff if you'd rather not rebuild the kernel.  For me, I prefer to take an all-built-in or all-modules approach with the kernel, so I'd just convert all of iptables to modules and rebuild.

----------

## jcat

 *Hu wrote:*   

> 
> 
> No, I understood it perfectly.  I happen to disagree.
> 
> 

 

You disagree that it best to play safe and have the script as well...     :Laughing: 

Cheers,

jcat

----------

## didymos

 *jcat wrote:*   

>  *Hu wrote:*   
> 
> No, I understood it perfectly.  I happen to disagree.
> 
>  
> ...

 

OK, everyone's wrong, except me.  Even if you agree with everything I say, you're still wrong. Sorry.   :Twisted Evil: 

----------

## jcat

 *didymos wrote:*   

>  *jcat wrote:*    *Hu wrote:*   
> 
> No, I understood it perfectly.  I happen to disagree.
> 
>  
> ...

 

 :Very Happy: 

Cheers,

jcat

----------

## MrSums

 *gsoe wrote:*   

> Well, I don't see any CONFIG_NF_NAT in that kernel config...

 

If the file that we are reviewing is the output from /proc/config.gz is this not the output from the working system? - my iptables are not working, so the detail would not be there, would it?

Could someone whose iptable are working please provide their output so I can see what is not working properly on mine? Or is there a list somewhere that I can follow? I have picked up as much as I can from the forums, but several days and multiple re-compiles later it still ain't working.

Thanks

Robert

----------

## didymos

 *MrSums wrote:*   

>  *gsoe wrote:*   Well, I don't see any CONFIG_NF_NAT in that kernel config... 
> 
> If the file that we are reviewing is the output from /proc/config.gz is this not the output from the working system? - my iptables are not working, so the detail would not be there, would it?
> 
> 

 

Yes, that's the point being made: you didn't enable NAT, but tried to use it in your rules.  Just run menuconfig, enable all the NAT stuff, rebuild.  As I said earlier, it's better to just enable pretty much everything netfilter related as modules.  Even if you add in the ebtables stuff, altogether the modules amount to a little over a MiB.  That way, you've got all those capabilities available without having all of it in memory all the time.

----------

## henri

Same Problem here!

...the point is that for example linux-2.6.23-gentoo-r9 does only offer CONFIG_NATSEMI

I also could not find any other NAT modules any more.

No FULL_NAT etc...

8<--------8<--------8<--------8<--------8<--------8<--------

> # grep _NAT ./.config

CONFIG_NATSEMI=m

8<--------8<--------8<--------8<--------8<--------8<--------

Have the NAT modules been "outsourced" from the kernel?

Many thanks in advance,

    yours Henri

----------

## eulogious

No it's not "outsourced", it doesn't exist.  How can you make something work, if you didn't build it correctly, and don't have all the parts?  Gentoo installs with nothing.  You have to install what you need.  The is the beauty for gentoo.  You need to compile anything referring to netfilter into your kernel in order for iptables to function properly.  This is not done by default.  EVERYONE who installs gentoo and wants to use iptables HAS to do this.  Use menuconfig to configure your kernel.  Refer to the gentoo docs on how to compile your kernel if you are confused about it.  I use genkernel.  Makes life easy.  If you don't want to install into your kernel, make it module.  That's what the "M" stands for in menuconfig.  Good luck!

----------

## henri

This is simply wrong:  *eulogious wrote:*   

> No it's not "outsourced", it doesn't exist.

 

I also posted the answer in https://forums.gentoo.org/viewtopic-t-651716.html

If you forget to set CONFIG_NF_CONNTRACK_IPV4, the FULL_NAT options will not appear.

I forgot it  :Smile:  - Now everything is selectable like expected again.

Yours Henri

----------

## eulogious

 *Quote:*   

> CONFIG_NF_CONNTRACK_IPV4

  Related to netfilter, hence the _NF_ part of that.  Like I said, enable EVERY thing related to netfilter.  *Quote:*   

>  You need to compile anything referring to netfilter into your kernel in order for iptables to function properly.

   Glad you got it working!

----------

## didymos

Again: this is why you just enable basically all the netfilter stuff.  Then you don't have to go hunting for the right combination of options to get stuff to appear.  It's just all there, as modules, ready to be used if and when it's needed.  At worst, you waste a few hundred KiB of disk space on the unused modules.

----------

