[TCLUG] Scripting help and iptables

Sun Feb 17 12:03:42 CST 2002

>
> > The module(s?) you want are ip_tables and iptable_filter.  They are
> > both located in /lib/modules/2.4.5/kernel/net/ipv4/netfilter.  Make
> > sure they are loaded.
>
> Okay, here's my rc.iptables file.  I noticed that I'm not loading the
> iptable_filter, but I also get the message that the nat table isn't found.  Same
> thing?  BTW, I took this script out of last month's LJ.
>

I modified my original script below:

> #!/bin/sh
> PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
> export PATH
> IPT=/usr/sbin/iptables
>
> echo 0 > /proc/sys/net/ipv4/ip_forward

> insmod ip_tables

> insmod ip_nat_ftp
> insmod ip_conntrack_ftp
>
> for i in filter nat mangle
> do
> $IPT -t $i -F
> $IPT -t $i -X
> done
>
> $IPT -t filter -N tcprules
> $IPT -t filter -A tcprules -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPT -t filter -A tcprules -i ! ppp+ -m state --state NEW -j ACCEPT
> $IPT -t filter -A tcprules -i ppp+ -m state --state NEW,INVALID -j DROP
> $IPT -t nat -A POSTROUTING -o ppp+ -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
> $IPT -t filter -A INPUT -j tcprules
> $IPT -t filter -A FORWARD -j tcprules
> $IPT -t filter -P INPUT DROP
> $IPT -t filter -P FORWARD DROP
> echo 1 > /proc/sys/net/ipv4/ip_forward
>

To the new script:
#!/bin/sh
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH
IPT=/usr/sbin/iptables

echo 0 > /proc/sys/net/ipv4/ip_forward

insmod ip_tables
# insmod ip_nat_ftp
# insmod ip_nat
# insmod ip_conntrack_ftp
insmod iptable_filter
# insmod iptable_nat
# insmod iptable_mangle

# for i in filter nat mangle
for i in filter
do
$IPT -t $i -F
$IPT -t $i -X
done

$IPT -t filter -N tcprules
$IPT -t filter -A tcprules -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A tcprules -i ! ppp+ -m state --state NEW -j ACCEPT
$IPT -t filter -A tcprules -i ppp+ -m state --state NEW,INVALID -j DROP
# $IPT -t nat -A POSTROUTING -o ppp+ -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
$IPT -t filter -A INPUT -j tcprules
$IPT -t filter -A FORWARD -j tcprules
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/ip_forward

What I get now on loading of the modules is:

Using /lib/modules/2.4.5/kernel/net/ipv4/netfilter/ip_tables.o.gz
Using /lib/modules/2.4.5/kernel/net/ipv4/netfilter/iptable_filter.o.gz
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

If I'm doing NAT, don't I need the nat module loaded?  As well as the table?  If I
uncomment the nat lines, I get the errors:

no module by the name iptable_nat
can't initialize iptables table 'nat' table does not exist

Sheesh, while iptables may be more customizable than ipcahins, this is getting a bit
confusing.  In a way, I'm tempted to go back to the 2.2.x kernel so I can take
advantage of ipchains being that it's a lot easier than iptables.....