IPtables FORWARD syntax question/error

IPtables FORWARD syntax question/error

[Eric Ellis]

I've just started messing with iptables so I can start walling off 
certain parts of my network from the rest of it.  Right now, I have a 
test bed set up with a slackware 10 install, packet forwarding on, and 
masquerading working, so I'm moving data fine, since the box that I use 
for daily work is behind this beta box.

I have installed Squid on the box so I can log all web requests done by 
my users on the back side of the firewall.  This too works, as I can 
tail -f the log and watch myself browse.

The problem is coming from the following item that I want to implement:
I have a webcache/external proxy on the network that I want to route all 
web traffic from Squid to.  I assumed the following to work:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 
xx.xx.xx.xx:8080

the thing is that it gives me the error "invalid argument".  Here's what 
else I've tried, with errors:

root@firewall:/etc# iptables -t nat -A POSTROUTING -p tcp --dport 80 -j 
DNAT --to-destination xx.xx.xx.xx:8080
iptables: Invalid argument 

root@firewall:/etc# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT 
--to-destination xx.xx.xx.xx:8080
iptables: Invalid argument 

root@firewall:/etc# iptables -A OUTPUT -p tcp --dport 80 -j DNAT 
--to-destination xx.xx.xx.xx:8080
iptables: Invalid argument 

root@firewall:/etc# iptables -A OUTPUT -p tcp --dport 80 -j DNAT 
--to-destination xx.xx.xx.xx
iptables: Invalid argument 


All the above assumes that I should be treating Squid as a source on the 
box, which is why I'm using the OUTPUT chain.  If I'm wrong here, let me 
know.

The troubling thing that I'm having here is that I don't know what about 
the rule that I'm requesting to set up is borked, and I can't really 
find any material on it in the past few days that I've been looking.  It 
*appears* to be a valid rule, according to what I've read at 
http://iptables-tutorial.frozentux.net/ and other various 
documentation/HOW-TOs/newb help references.  I think I'm missing 
something *really* obvious, but I don't have the depth to find it.


/me sighs.  Thanks for your help in advance.

Re: IPtables FORWARD syntax question/error

[Antony Stone]

On Friday 09 July 2004 5:12 pm, Eric Ellis wrote:

> I have a webcache/external proxy on the network that I want to route all
> web traffic from Squid to.  I assumed the following to work:
>
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> xx.xx.xx.xx:8080
>
> the thing is that it gives me the error "invalid argument".  Here's what
> else I've tried, with errors:
>
> root@firewall:/etc# iptables -t nat -A POSTROUTING -p tcp --dport 80 -j
> DNAT --to-destination xx.xx.xx.xx:8080
> iptables: Invalid argument

DNAT is not valid in the POSTROUTING chain, only PREROUTING and OUTPUT.

> root@firewall:/etc# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT
> --to-destination xx.xx.xx.xx:8080
> iptables: Invalid argument

That looks like a valid rule to me (but see below).

> root@firewall:/etc# iptables -A OUTPUT -p tcp --dport 80 -j DNAT
> --to-destination xx.xx.xx.xx:8080
> iptables: Invalid argument

DNAT is not valid in the (default) filter table, only in the nat table.

> root@firewall:/etc# iptables -A OUTPUT -p tcp --dport 80 -j DNAT
> --to-destination xx.xx.xx.xx
> iptables: Invalid argument

DNAT is not valid in the (default) filter table, only in the nat table.

> The troubling thing that I'm having here is that I don't know what about
> the rule that I'm requesting to set up is borked, and I can't really
> find any material on it in the past few days that I've been looking.  It
> *appears* to be a valid rule, according to what I've read at
> http://iptables-tutorial.frozentux.net/ and other various
> documentation/HOW-TOs/newb help references.  I think I'm missing
> something *really* obvious, but I don't have the depth to find it.

I think your netfilter rule is fine, but I suspect you don't have OUTPUT DNAT 
enabled in the kernel - i's a separate option from the normal NAT stuff, 
which you have to select if you need it.

Regards,

Antony.

-- 
I own three Windows books, published by O'Reilly.   They are "Windows 
Annoyances", "Office 97 Annoyances" and "Windows 98 Annoyances".   That 
pretty much sums it up for me.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPtables FORWARD syntax question/error

[Alistair Tonner]

On July 10, 2004 04:40 am, Antony Stone wrote:
> On Friday 09 July 2004 5:12 pm, Eric Ellis wrote:
> > I have a webcache/external proxy on the network that I want to route all
> > web traffic from Squid to.  I assumed the following to work:
> >
> > iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> > xx.xx.xx.xx:8080
> >
> > the thing is that it gives me the error "invalid argument".  Here's what
> > else I've tried, with errors:
> >
> > root@firewall:/etc# iptables -t nat -A POSTROUTING -p tcp --dport 80 -j
> > DNAT --to-destination xx.xx.xx.xx:8080
> > iptables: Invalid argument
>
> DNAT is not valid in the POSTROUTING chain, only PREROUTING and OUTPUT.
>
> > root@firewall:/etc# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT
> > --to-destination xx.xx.xx.xx:8080
> > iptables: Invalid argument
>
> That looks like a valid rule to me (but see below).

	Umm ... could we have TWO copies of iptables involved here?? or a 
	recompiled kernel without a recompile of iptables userspace code????

	
	Alistair Tonner.

	
> Regards,
>
> Antony.