Help with invalid argument

Help with invalid argument

[Dennis Cardinale]

I have Mandrake Linux 8.2 (kernel 2.4.18) installed in a box I use as a
router for my DSL connection.  I use a firewall script that I have been
running since 2.4.3 using netfilter.

Lately, I have had a need to run Netmeeting from behind my router, so I
pom'd the h323 conntrack and rebuilt my kernel.  Here are the steps I used:


cd /usr/src
cp -R linux-2.4.18-6mdk linux-2.4.18-6h323   	#copy old src installation
ln -s linux-2.4.18-6h323 linux		   	#link to new source tree
cd linux
vi Makefile						   	#and change EXTRAVERSION = -6h323
make mrproper					   	#clean (also erases .config)
cp arch/i386/defconfig .config			#restore Mandrake default configuration
make oldconfig
make dep
cd /root/pom/netfilter/userspace			#POM userspace
make patch-o-matic
	apply:	arptables
			config-cleanup
			conntrack+nat-helper-unregister
			ip_conntrack_protocol_unregister
			macro-trailing-semicolon-fix
			nat-export_symbols
			netfilter-arp
			REJECT-don't fragment
			pptp_conntrack_nat		#just in case
			h323_conntrack_nat		#this patch done last
cd /usr/src/linux
make oldconfig						#answer <m>odule for pptp & h323
make dep
make clean
make bzImage && make modules && make modules_install
make install						#Mandrake automated script for setting up /boot & lilo
lilo
cd /root/pom/netfilter/userspace
make install all						#install netfilter stuff

and reboot!

The new kernel boots fine.  Unfortunately, the following happens:

[root@...]# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -j
SNAT --to-source $INET_IP
iptables: Invalid Argument

The same happens if I change SNAT to MASQUERADE (w/o --to-source).

If I do:

[root@...]# iptables -t nat -I POSTROUTING 1 -o eth0 -s 192.168.10.0/24 -j
SNAT --to-source $INET_IP
iptables: Target Problem

I've spent hours on Google & found similar problems with different targets,
but not exactly this one.  The rest of the firewall script runs fine. This
is the only problem I have.

The following modules are loaded, by the way:

ip_nat_h323
ip_conntrack_h323
ip_nat_ftp
ip_conntrack_ftp
ipt_LOG
ipt_MASQUERADE
iptable_nat
ip_conntrack
iptable_filter
iptable_mangle
ip_tables

Please keep in mind that the SNAT target worked just fine (for a very long
time) until I pom'd the kernel.  Now I can't nat at all, even if I unload
the h323 stuff.  All I can do to make things work is to reboot into the old
kernel.  I would like the get the h323 to work.  All help would be
appreciated.

Thank you,

Dennis Cardinale

RE: Help with invalid argument

[Dennis Cardinale]

OK...solved my own problem.

userspace/make install all

does not copy the new iptables binaries to the /sbin directory.

Is there a script to do this?  Can I do it manually? Is there a way to do it
so that the binaries used are compatible with the chosen kernel at boot
time?

Thanks.

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Dennis Cardinale
Sent: Friday, July 05, 2002 10:03 PM
To: netfilter@lists.samba.org
Subject: Help with invalid argument


I have Mandrake Linux 8.2 (kernel 2.4.18) installed in a box I use as a
router for my DSL connection.  I use a firewall script that I have been
running since 2.4.3 using netfilter.

Lately, I have had a need to run Netmeeting from behind my router, so I
pom'd the h323 conntrack and rebuilt my kernel.  Here are the steps I used:


cd /usr/src
cp -R linux-2.4.18-6mdk linux-2.4.18-6h323   	#copy old src installation
ln -s linux-2.4.18-6h323 linux		   	#link to new source tree
cd linux
vi Makefile						   	#and change EXTRAVERSION = -6h323
make mrproper					   	#clean (also erases .config)
cp arch/i386/defconfig .config			#restore Mandrake default configuration
make oldconfig
make dep
cd /root/pom/netfilter/userspace			#POM userspace
make patch-o-matic
	apply:	arptables
			config-cleanup
			conntrack+nat-helper-unregister
			ip_conntrack_protocol_unregister
			macro-trailing-semicolon-fix
			nat-export_symbols
			netfilter-arp
			REJECT-don't fragment
			pptp_conntrack_nat		#just in case
			h323_conntrack_nat		#this patch done last
cd /usr/src/linux
make oldconfig						#answer <m>odule for pptp & h323
make dep
make clean
make bzImage && make modules && make modules_install
make install						#Mandrake automated script for setting up /boot & lilo
lilo
cd /root/pom/netfilter/userspace
make install all						#install netfilter stuff

and reboot!

The new kernel boots fine.  Unfortunately, the following happens:

[root@...]# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.10.0/24 -j
SNAT --to-source $INET_IP
iptables: Invalid Argument

The same happens if I change SNAT to MASQUERADE (w/o --to-source).

If I do:

[root@...]# iptables -t nat -I POSTROUTING 1 -o eth0 -s 192.168.10.0/24 -j
SNAT --to-source $INET_IP
iptables: Target Problem

I've spent hours on Google & found similar problems with different targets,
but not exactly this one.  The rest of the firewall script runs fine. This
is the only problem I have.

The following modules are loaded, by the way:

ip_nat_h323
ip_conntrack_h323
ip_nat_ftp
ip_conntrack_ftp
ipt_LOG
ipt_MASQUERADE
iptable_nat
ip_conntrack
iptable_filter
iptable_mangle
ip_tables

Please keep in mind that the SNAT target worked just fine (for a very long
time) until I pom'd the kernel.  Now I can't nat at all, even if I unload
the h323 stuff.  All I can do to make things work is to reboot into the old
kernel.  I would like the get the h323 to work.  All help would be
appreciated.

Thank you,

Dennis Cardinale

Re: Help with invalid argument

[Jack Bowling]

** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on Sat, 06 Jul 2002 12:31:21 -0400


> OK...solved my own problem.
> 
> userspace/make install all
> 
> does not copy the new iptables binaries to the /sbin directory.
> 
> Is there a script to do this?  Can I do it manually? Is there a way to do it
> so that the binaries used are compatible with the chosen kernel at boot
> time?

Just edit this section of the Makefile in your iptables source top directory to the following:

#PREFIX:=/usr/local
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/share/man
INCDIR:=/usr/include

before you do the make and make install.

jb

RE: Help with invalid argument

[Dennis Cardinale]

what happens if I boot the old kernel?

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Jack Bowling
Sent: Saturday, July 06, 2002 12:38 PM
To: netfilter@lists.samba.org
Subject: Re: Help with invalid argument


** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on
Sat, 06 Jul 2002 12:31:21 -0400


> OK...solved my own problem.
>
> userspace/make install all
>
> does not copy the new iptables binaries to the /sbin directory.
>
> Is there a script to do this?  Can I do it manually? Is there a way to do
it
> so that the binaries used are compatible with the chosen kernel at boot
> time?

Just edit this section of the Makefile in your iptables source top directory
to the following:

#PREFIX:=/usr/local
LIBDIR:=/lib
BINDIR:=/sbin
MANDIR:=/usr/share/man
INCDIR:=/usr/include

before you do the make and make install.

jb

Re: Help with invalid argument

[Jack Bowling]

** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on Sat, 06 Jul 2002 12:44:56 -0400


> what happens if I boot the old kernel?
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Jack Bowling
> Sent: Saturday, July 06, 2002 12:38 PM
> To: netfilter@lists.samba.org
> Subject: Re: Help with invalid argument
> 
> 
> ** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on
> Sat, 06 Jul 2002 12:31:21 -0400
> 
> 
> > OK...solved my own problem.
> >
> > userspace/make install all
> >
> > does not copy the new iptables binaries to the /sbin directory.
> >
> > Is there a script to do this?  Can I do it manually? Is there a way to do
> it
> > so that the binaries used are compatible with the chosen kernel at boot
> > time?
> 
> Just edit this section of the Makefile in your iptables source top directory
> to the following:
> 
> #PREFIX:=/usr/local
> LIBDIR:=/lib
> BINDIR:=/sbin
> MANDIR:=/usr/share/man
> INCDIR:=/usr/include
> 
> before you do the make and make install.


The above Makefile only controls where the userspace part of iptables goes during the make install. The netfilter kernel modules are added to the kernel source when you do the "make most-of-pom", etc. Then you have to compile your kernel source again. If you have already compiled the kernel source using the same iptables code then you just have to run the make install again (with the edited prefixes) to put the userspace stuff in the right place. It may be an idea to go into the /usr/local directory and clean out all the stuff that was placed in there by the previous make install just to avoid possible clashes.

jb

RE: Help with invalid argument

[Dennis Cardinale]

Thanks for the help, Jack.  Everything is working fine now.

In regard to the last message, I'll rephrase the question:

If the netfilter userspace tools that now occupy /sbin are compiled from
current netfilter CVS source tree, will they still execute properly when
called from within the framework of the prior kernel (before pomming it)?

You do not need to answer the question.  As soon as I have time, I'll reboot
the old kernel and try it myself.

I've been running Linux for about a year now, and, actually I am pretty
proud of the small amount of knowledge I have gained over that time.
Occasionally, though, I get frustrated trying to piece together all of the
scattered information trying to get something (i.e. H323) to work.

BTW, I've noticed that I can initiate netmeeting calls from behind my
router, but others cannot call me (they wind up calling 192.168.x.x, which
obviously does not exist on the internet).  I assume this is because of the
limitations of ip_conntrack_h323 (that I think I read about).

This will not normally be a problem for me, as most of the calling (by my
wife, to Ecuador) can be initiated elsewhere.  The only inconvienience would
be if I wanted to netmeeting with my business partner, who is also behind a
linux router/firewall.

I assume that this is what OpenH323Gatekeeper is for.  Does anyone know if a
gatekeeper can be run simultaneously with ip_conntrack_h323 so that both
situations work?

Thanks again.

Dennis

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Jack Bowling
Sent: Saturday, July 06, 2002 2:32 PM
To: netfilter@lists.samba.org
Subject: Re: Help with invalid argument


** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on
Sat, 06 Jul 2002 12:44:56 -0400


> what happens if I boot the old kernel?
>
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Jack Bowling
> Sent: Saturday, July 06, 2002 12:38 PM
> To: netfilter@lists.samba.org
> Subject: Re: Help with invalid argument
>
>
> ** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on
> Sat, 06 Jul 2002 12:31:21 -0400
>
>
> > OK...solved my own problem.
> >
> > userspace/make install all
> >
> > does not copy the new iptables binaries to the /sbin directory.
> >
> > Is there a script to do this?  Can I do it manually? Is there a way to
do
> it
> > so that the binaries used are compatible with the chosen kernel at boot
> > time?
>
> Just edit this section of the Makefile in your iptables source top
directory
> to the following:
>
> #PREFIX:=/usr/local
> LIBDIR:=/lib
> BINDIR:=/sbin
> MANDIR:=/usr/share/man
> INCDIR:=/usr/include
>
> before you do the make and make install.


The above Makefile only controls where the userspace part of iptables goes
during the make install. The netfilter kernel modules are added to the
kernel source when you do the "make most-of-pom", etc. Then you have to
compile your kernel source again. If you have already compiled the kernel
source using the same iptables code then you just have to run the make
install again (with the edited prefixes) to put the userspace stuff in the
right place. It may be an idea to go into the /usr/local directory and clean
out all the stuff that was placed in there by the previous make install just
to avoid possible clashes.

jb

Re: Help with invalid argument

[Jack Bowling]

** Reply to message from Dennis Cardinale <dennis@core-enterprises.com> on Sat, 06 Jul 2002 15:20:24 -0400


> Thanks for the help, Jack.  Everything is working fine now.
> 
> In regard to the last message, I'll rephrase the question:
> 
> If the netfilter userspace tools that now occupy /sbin are compiled from
> current netfilter CVS source tree, will they still execute properly when
> called from within the framework of the prior kernel (before pomming it)?
> 
> You do not need to answer the question.  As soon as I have time, I'll reboot
> the old kernel and try it myself.
<snip>

I'll answer anyway: some of the modules may work but if any of them have been recoded in any way, then you run the risk of the modules not working, or even worse, not working such that it may leave you vulnerable somehow if it really breaks. It is always wise to recompile the kernel with the same version of netfilter code as your userspace iptables modules.

jb