# IPTABLES problem with gentoo-sources-2.4.20-r1

## friction

After upgrading my kernel, copying the .config file etc, recompiling and rebooting I found that masquerading wasn't working anymore.

More specifically, my entire iptables script works perfectly except this line:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

which returns "iptables: invalid argument"

So I tried the "more liberal form"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Same thing, invalid argument.

I went through make menuconfig, but everything seems to be in order, so I booted off my old .19 gentoo kernel and there were no problems, the line works fine.

What am I missing?

----------

## Lnx_dork

Hi,

Try recompiling iptables. It should fix the problem

----------

## scout

It is the third time I see this problem with iptables in the forum ... seems quite common, and I had it myself

----------

## Rroet

problem will be solved by recompiling iptables

----------

## friction

 *Rroet wrote:*   

> problem will be solved by recompiling iptables

 

Thanks, worked like a charm  :Smile: 

----------

## noisefactor

i'm using 2.4.20-gentoo-r2 and recompiling iptables hasn't

helped.

----------

## Decode

Hi, I'm using -r2 as well.

I've verified that I have everything needed for firewalling in my Kernel.

I'm just rebuilding iptables after reading these posts.

```
# emerge iptables
```

I'll let you know if I make any progress.

Decode

----------

## Decode

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

I hate to say it, but recompiling did fix the problem for me as

well...

Make sure you Dont:

# emerge -u iptables

DO:

# emerge iptables

Note: I have all the ip mojo installed in the kernel, not as loadable

modules... here is the exact settings I used to create my firewall

box:

```

- - Configure the Kernel

- -- Gentoo recommended

Code maturity level options --->

  [*] Prompt for development and/or incomplete code/drivers"

File systems --->

  <*> Ext3 journalling file system support

  [*] Virtual memory file system support (former shm fs)

  [*] /proc file system support

  [*] /dev file system support (EXPERIMENTAL)

    [*] Automatically mount at boot          

  [ ] /dev/pts file system for Unix98 PTYs

   (Uncheck this, it is NOT needed.)

  <*> Second extended fs support

   (Needed if you are using ext2, safe to keep, even if you aren't.)

- -- Custom

General Setup

  PCMCIA/CardBus support

    < > PCMCIA/CardBus support

SCSI support

  < > SCSI support

/* For ppp and dsl */

Network Device Support

  <*> PPP (point-to-point protocol) support

    <*> PPP support for async serial ports

    <*> PPP support for async serial ports

    <*> PPP Deflate compression

    <*> PPP BSD-Compress compression

    <*> PPP over Ethernet

/* For iptables support */

Networking Options

  <*> Network Packet Filtering (replaces ipchains)

    [*] Network packet filtering debugging

  IP: Netfilter Configuration -->

    <*> Connection Tracking (required for masq/NAT)

      <*> FTP protocol support (NEW)

    <*> IP Tables support (required for filtering/masq/NAT)

      <*> limit match support

      <*> quota match support

      <*> IP address pool support

      <*> MAC address match support

      <*> Packet type match support

      <*> netfilter MARK match support

      <*> Multiple port match support

      <*> Multiple port with ranges match support

      <*> TOS match support

      <*> psd match support

      <*> condition match support

      <*> ECN match support

      <*> DSCP match support

      <*> AH/ESP match support

      <*> LENGTH match support

      <*> TTL match support

      <removed b/c compile error> realm match support

      <*> stealth match support

      <*> Helper match support

      <*> Connection state match support (NEW)

      <*> Connections/IP limit match support

      <*> Connection tracking match support

      <*> Packet Filtering (NEW)

        <*> REJECT target support (NEW)

      <*> Full NAT (NEW)

        <*> MASQUERADE target support (NEW)

        <*> REDIRECT target support (NEW)

      <*> Packet mangling (NEW)

        <*> TOS target support

        <*> ECN target support

        <*> DSCP target support

        <*> MARK target support

      <*> LOG target support (NEW)

      <*> TTL target support

      <*> TCPMSS target support

```

If you see that you are missing something from Kernel, here is the

process I use to recompile...  Note, I'm a Noob, so there might be a

smarter way of doing this:

```

# cd /usr/src/linux-<autocomplete>

# cp .config config.back<yyyymmddhhmm> (use 24 hour clock for hh)

# make mrproper

# cp config.back<yyyymmddhhmm> .config

# make menuconfig 

# make dep && make clean bzImage modules modules_install 

# mount /boot

# cp /usr/src/linux/arch/i386/boot/bzImage /boot[optional:

/vmlinuz-ver#-test]

# vim /etc/grub/grub.conf (to make sure that the image is named

correctly) 

# umount /boot

# reboot

```

Hope this helps!

Decode

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.94

iD8DBQE+qeBtMW99lc0EOzQRAqouAJ98h6TX7w+T5XQu6J5IEdyyNNctIgCfcRGf

IyZcxCkcDlEdrLNP6iZOcH8=

=+NuU

-----END PGP SIGNATURE-----

----------

## noisefactor

```

Make sure you Dont:

# emerge -u iptables

```

okay - so what can i do now, since i already did that by

mistake?  i've tried emerge -C and then reemerging earlier

versions of iptables, but i still get "invalid argument" now

when before i didn't (i was trying to fix an annoying FTP

problem that only seems to affect OSX apps on my internal

network).

thnx.

----------

## Decode

Hmm.

Have you verified that you have all the approprate components built either into the Kernel or as modules?  There is an extensive (possibly overly-so) list in my earlier post.  It is possible that I left out features that you need to handle your OSX issuez.

Without being an expert, I'd recommend tht you:

1) verify that you have all necessary Kernel components build

2) remove aggressive flags from /etc/make.conf's CFLAGS and CXXFLAGS

3) verfiy that you are using a new version of iptables ( >= 1.2.8 )

Again, I will only say that recompiling fixed the issue for me, but may not for you.  Perhaps we'll get more input.  Doing searches on Gentoo for the invalid argument bug reveals that many have had this problem.... Try doing a search on Google as well, perhaps there's more there..?

Good luck  :Smile: 

----------

