"iptables: Invalid argument" with kernel 2.4.20

"iptables: Invalid argument" with kernel 2.4.20

[cees-bart]

hi all,

by reading the iptables tutorial (version 1.1.11) i've constructed
a configuration that forwards a port on MYMACHINE to OTHERMACHINE:

# Generated by iptables-save v1.2.6a on Tue Nov 12 17:41:18 2002
*nat
:PREROUTING ACCEPT [221:38784]
:POSTROUTING ACCEPT [78:7025]
:OUTPUT ACCEPT [72:6769]

-A PREROUTING -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \ 
                           --to-destination OTHERMACHINE:30000 

-A POSTROUTING -d OTHERMACHINE -p udp -m udp --dport 30000 -j SNAT \ 
                           --to-source MYMACHINE 

-A OUTPUT -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
                           --to-destination OTHERMACHINE:30000 

COMMIT
# Completed on Tue Nov 12 17:41:18 2002

this setup works fine on kernel 2.4.19 with iptables 1.2.6a.

BUT, the last rule (OUTPUT) fails with message "iptables: Invalid 
argument" when running under 2.4.20.

i tried iptables 1.2.7a as well, but the result is the same.

am i doing something wrong?

thnx,
cees-bart.

RE: "iptables: Invalid argument" with kernel 2.4.20

[Rob Sterenborg]

> by reading the iptables tutorial (version 1.1.11) i've constructed
> a configuration that forwards a port on MYMACHINE to OTHERMACHINE:

I see we are now at 1.1.15 :o)

> # Generated by iptables-save v1.2.6a on Tue Nov 12 17:41:18 2002
> *nat
> :PREROUTING ACCEPT [221:38784]
> :POSTROUTING ACCEPT [78:7025]
> :OUTPUT ACCEPT [72:6769]
>
> -A PREROUTING -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
>                            --to-destination OTHERMACHINE:30000
>
> -A POSTROUTING -d OTHERMACHINE -p udp -m udp --dport 30000
> -j SNAT \
>                            --to-source MYMACHINE
>
> -A OUTPUT -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
>                            --to-destination OTHERMACHINE:30000
>

If you are matching "-p udp --dport 27960", then why do you use "-m
udp" ?
It seems to me that if "-p udp --dport 27960" matches, it is already
more restrictive than "-m udp".
Could someone tell me when I would want to use "-m udp" ? I searched a
bit and found a lot of scripts using it but didn't find anything that
explains it.

The following works for me (I don't need an OUTPUT rule in the nat
table) :
iptables -A FORWARD -d <pc2-ip> -p udp --dport 30000 -j ACCEPT
ipatbles -t nat -A PREROUTING -d <inet-ip> -p udp --dport 27960 -j
DNAT --to-destination <pc2-ip>:30000


Rob

Re: "iptables: Invalid argument" with kernel 2.4.20

[Joel Newkirk]

On Monday 16 December 2002 11:25 am, cees-bart wrote:
> hi all,

> -A OUTPUT -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
>                            --to-destination OTHERMACHINE:30000

> this setup works fine on kernel 2.4.19 with iptables 1.2.6a.
>
> BUT, the last rule (OUTPUT) fails with message "iptables: Invalid
> argument" when running under 2.4.20.
>
> i tried iptables 1.2.7a as well, but the result is the same.
>
> am i doing something wrong?

Have you tried manually creating the rule, or are you restoring from a 
save made with the earlier version?  Since you list it in a save format, 
(dated November 12) and said it won't load, this strikes me as likely.  
I don't know, but it's possible this won't work.  Just try a:

/sbin/iptables -t nat -A OUTPUT -d MYMACHING -p udp --dport 27960 \
	-j DNAT --to OTHERMACHINE:30000

and see if it accepts it.  If so, then there must have been some change 
in the save file structure or handling (possibly fixing a flaw) that 
prevents newer netfilter form restoring from the older save.

If you require the ability to use the same save under both versions, it's 
possible that saving from the new will be restorable in the old, even if 
the reverse turns out to be broken.

j

Re: "iptables: Invalid argument" with kernel 2.4.20

[Anders Fugmann]

Rob Sterenborg wrote:
> Could someone tell me when I would want to use "-m udp" ? I searched a
> bit and found a lot of scripts using it but didn't find anything that
> explains it.
The '-m' flag means match extentions. '--protocol udp' implicit loads 
the match extentions for the udp protocol, and thus:
'iptables -p udp', is the same as iptables -p udp -m udp'. See 'match 
extentions' in the iptables manpage for more information.

Regards
Anders Fugmann
--
Author of FIAIF
FIAIF is an intelligent firewall
http://fiaif.fugmann.dhs.org

Re: "iptables: Invalid argument" with kernel 2.4.20

[cees-bart]

On Mon, 16 Dec 2002, Joel Newkirk wrote:

> On Monday 16 December 2002 11:25 am, cees-bart wrote:
> > hi all,
> 
> > -A OUTPUT -d MYMACHINE -p udp -m udp --dport 27960 -j DNAT \
> >                            --to-destination OTHERMACHINE:30000
> 
> > this setup works fine on kernel 2.4.19 with iptables 1.2.6a.
> >
> > BUT, the last rule (OUTPUT) fails with message "iptables: Invalid
> > argument" when running under 2.4.20.
> 
> Have you tried manually creating the rule, or are you restoring from a 
> save made with the earlier version?  

i tried both, and i found my mistake:

i forgot to enable CONFIG_IP_NF_NAT_LOCAL in the kernel.
sorry for the trouble.

bye,
cees-bart