# Routing with Gentoo

## tassilo80

Hi.

Here I have my desktop which is connected via DSL to the internet. Connected to the desktop there's my laptop. Now I want to share the internet connection with the laptop.

Ok, I know that I need iptables and masquerading, so I activated the following in my kernel:

```

Network Packet filtering

Socket filtering

unix domain sockets

TCP/IP networking

-> IP: multicasting

-> IP: advanced router

IP: multicast routing

In "IP netfilter configuration" (all as modules)

Connection tracking

FTP protocol support

IRC protocol support

IP tables support

Packet Filtering

Full NAT

  MASQUERADE target support

ROUTE target support

ARP tables support

  ARP packet filtering

```

Then I found a short script in the net which should configure iptables exactly the way I want it. It is:

```

 # Load the NAT module (this pulls in all the others).

 modprobe iptable_nat

 # In the NAT table (-t nat), Append a rule (-A) after routing

 # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to

 # MASQUERADE the connection (-j MASQUERADE).

 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

 # Turn on IP forwarding

 echo 1 > /proc/sys/net/ipv4/ip_forward

```

But when I want to execute the script I get the following error:

```

[root@mymachine root # bash masquerading

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_unregister_hook

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_unregister_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol ip_ct_attach

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_register_hook

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: unresolved symbol nf_register_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod /lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o failed

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod iptable_nat failed

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o failed

/lib/modules/2.4.20-gentoo-r6/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed

iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

What do I have to do? How to get this working. Do I need any more modules or which are useless for my plan?

Much thanks in advance.

Tassilo

----------

## Genone

try to

```
cd /usr/src/linux

make clean

make bzImage modules modules_install
```

----------

## tassilo80

When I made the kernel I did

```

cd /usr/src/linux

make menuconfig

make dep && make clean && make bzImage modules modules_install

```

and then I copied the bzImage to /boot/. So why should I recomile the kernel?

Greets,

Tassilo

----------

## Genone

I thought you have just added the NAT options to your config and run a 

```
make modules modules_install
```

If you compiled that kernel and modules from scratch there is no need to recompile them of course.

I'm just wondering as normally these unresolved symbol errors are detected at the make modules_install stage.

----------

## tassilo80

Oh, there's an iptables init script in /etc/init.d/. In /etc/conf.d/iptables I enabled ENABLE_FORWARDING_IPv4="yes". And I added /etc/init.d/iptables to runlevel default, but I get the same error messages when executing my script from above.

----------

## ph_flippy

I had the same problem and followed the advice in one of the threads in this forum (can't find which one, now  :Sad:  ).

The one thing I did was removing the modules from 

```
/lib/modules/KERNEL
```

 (where KERNEL is the kernel you used. Mine is 2.4.20-gentoo-r6) (or rather moved it, in case something would break).

This didn't help me.

Disabling "Loadable module support" > "Set version information on all module symbols" in the kernel, and then compiling the kernel helped to get rid of the unresolved symbols messages.

HTH!

----------

## MOS-FET

i can really suggest you try firehol (emerge firehol). it's basically a script that creates the firewall rules for you. in firehol.conf you can config _really_ easily what you want (e.g. forwarding, drop all incoming packets, only allow outgoing ftp or whatever) and then do "firehol start" and it starts iptables with your configuration. then do "firehol save" so it would save your config. then do rc-update add iptables default so your firewall will start at boot with the ruls you've config'd with firehol. it's really easy and it worked very well for me!

----------

## tassilo80

Ok,

I'll take "Loadable module support" > "Set version information on all module symbols" out of the kernel ant I'll test firehol. When it fails, I'll be back...  :Wink: 

Thanks,

Tassilo

----------

## tassilo80

Hi.

Now I tried it with firehol, but it doesn't work. I made a firehol.conf with 

firehol helpme > /etc/firehol/firehol.conf

Then I edited the firehol.conf to what I need. 

The output of "firehol start" is:

```

mymachine root # firehol start

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

FireHOL: Activating new firewall:iptables: No chain/target/match by that

name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 1.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 50 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_interface1_ICMP_s1 -p icmp -m

state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 2.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 50 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_interface1_ICMP_s1 -p icmp -m

state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

***

and so on...

***

--------------------------------------------------------------------------------

ERROR   : # 61.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second

--limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 62.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second

--limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:

OUTPUT  :

iptables: No chain/target/match by that name

 FAILED

FireHOL: Restoring old firewall: OK

```

What should I do?

----------

## ixion

I honestly would start all over with the kernel and the original options. I would not get rid of Loadable Module Support...

goto /usr/src/linux... run this:

```

make mrproper && make menuconfig

make dep && make clean bzImage modules modules_install &&

mount /dev/hda1 /boot &&

mv /boot/bzImage /boot/bzImage-old

cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage

lilo

reboot

```

The 'make mrproper' normally cleans up the symbols problem for me.. if it doesn't, re-emerge a kernel and start over with a fresh config. It's alot of work, but it will solve your problem..  :Wink: 

----------

## tassilo80

Ok, I'll do as you say. If it works I'll tell you and otherwise I'll be back, too.

Thanks,

Tassilo

----------

## atticus

 *tassilo80 wrote:*   

> 
> 
> ```
> 
>  # Load the NAT module (this pulls in all the others).
> ...

 

If you used this exact rule, I don't think it will work because the rule is for ppp0. ppp0 is for a dialup interface. I think what you want is eth0, since you're running DSL. (Someone correct me if I'm wrong.) So, change the ppp0 in your rule to eth0, to specify your Ethernet interface (your NIC).

----------

## vidigiani

DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface.

----------

## atticus

 *vidigiani wrote:*   

> DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface.

 

This doesn't make sense   :Question: 

----------

## deuce

 *ixion wrote:*   

> I honestly would start all over with the kernel and the original options. I would not get rid of Loadable Module Support...
> 
> goto /usr/src/linux... run this:
> 
> ```
> ...

 

You should copy /usr/src/linux/.config to another location before running make mrproper, otherwise .config is deleted.  After make mrproper finishes, copy .config back and run make oldconfig.

```
cd /usr/src/linux/

cp .config ~/config

make mrproper

cp ~/config .config

make oldconfig

```

----------

## ixion

good point.. I automatically assumed everyone configures their kernel like me: with each new compile I save it out as a config file in the /usr/src/linux.. THIS file does not get overwritten during make mrproper... I think it's a good practice to save all your config's out anyway.. helps tremendously with kernel troubleshooting... :Wink: 

btw, how's it coming, tassilo80? any luck?

----------

## vidigiani

 *atticus wrote:*   

>  *vidigiani wrote:*   DSL uses ppp0 just like dialup. When setting up firewall rules you want to use the ppp0 interface, not the ethX interface. 
> 
> This doesn't make sense  

 

You don't have a direct connection to your DSL ISP like you do with Cable. You typically have to go over PPPoe which is the PPP protocol over ethernet. Such is one of the annoyances of DSL service  :Sad: 

----------

