IP-Masquerade on Redhat 7.1
Tommy
After a lot of struggle I managed to get IP-Masquerade on my Linux box
(Redhat 7.1 with kernel 2.4.2-2 and iptables 1.2.1a-1) to work. But I
ended up with a very strange configuration file (i.e. the rc.firewall
file).
So, my question is: how should a correct firewall configuration file
look like on a Redhat 7.1 system?
Here is how I ended up with my config file:
1. From the document 'Linux IP Masquerade HOWTO v2.00.21' it was
recommended to use:
--- SCRIPT START ---
#!/bin/sh
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ipt_REJECT
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
/sbin/insmod ip_conntrack_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
/usr/local/sbin/iptables -A FORWARD -j DROP
/usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
--- SCRIPT END ---
But after I had executed the script I got dozens of 'unresolved
symbol' messages and it was impossible for my clients to access the
net via my MASQ-server. Also, when I executed 'iptables -L' from the
command line I got the following error messages:
--- ERROR START ---
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o:
init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO or IRQ parameters
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
ip_tables failed
iptables v1.2.1a: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
--- ERROR END ---
2. On a newsgroup I saw a posted message that proposed the following
configuration instead:
--- SCRIPT START ---
#!/bin/sh
/sbin/rmmod ipchains
modprobe iptable_nat
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
--- SCRIPT END ---
That one did not work either. But when I executed them together (see
script below) then suddenly everything works fine. This seems very
strange since the scripts do not work alone, but they do when the
'iptable_nat' module and its dependents are loaded twice and when the
'iptables' rules are inserted twice. What is the reason for this???
--- SCRIPT START ---
#!/bin/sh
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ipt_REJECT
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
/sbin/insmod ip_conntrack_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
/usr/local/sbin/iptables -A FORWARD -j DROP
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/rmmod ipchains
modprobe iptable_nat
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
--- SCRIPT END ---
By the way, are there any good articles or other resources available
for how to configure stronger IP Firewall (IPTABLES) rulesets e.g.
deny all incoming traffic except for TCP on port 22, but at the same
time allowing all outgoing traffic on all ports?
Regards,
Tommy
Teddy
Tommy,
You should recompile your kernel,
If I were you, I'd download the latest 2.45 kernel from ftp.kernel.org
and make a new kernel (make menuconfig and use the "?" when inside
menuconfig)
Also be sure to include "Y" all the modules that say "required for
IPMasqerading.." and the like. And definitely include "Y" all the stuff you
need, for newtwork cards/USB/sound/whatever you use....oterhwise you'll have
to make the modules manually later on and load them up as your doing now.
/sbin/depmod -a rebuilds the /etc/modules.conf (symbolic references)
"Tommy" <da...@telia.com> wrote in message
news:8ad22b78.01073...@posting.google.com...
Bill K.
If you uninstall ipchains and associated rpms, iptables will work, but it
won't as long as ipchains is installed. I don't know why you get those
unresolved symbols errors, but they do go away after ipchains is gone.
In article <8ad22b78.01073...@posting.google.com>, "Tommy"