an annoying question

an annoying question

[Richard Bown]

Hi All
Just subscribed to this list, I'm sure this question has been asked many
times by now , but can someone tell me the major differences between
iptables for a 2.4.x kernel and a 2.6.x kernel.
Or point me in the direction of reading material I can understand.

I suspect from the results I've seen running 2.6.2 with iptables-1.2.9
that the handling of DNAT & SNAT is very different.

TIA
Richard
-- 
Richard Bown <richard.bown@blueyonder.co.uk>

Re: an annoying question

[Cedric Blancher]

Le mer 11/02/2004 à 22:53, Richard Bown a écrit :
> I suspect from the results I've seen running 2.6.2 with iptables-1.2.9
> that the handling of DNAT & SNAT is very different.

Afaik, from a user point of vue, there's no difference between 2.4 and
2.6. I'm using a 2.6.1 kernel on which all the scripts I've written for
2.4 kernels are working just the way they did before, for filtering,
mangling and nating...

What kind of results makes you believe there are major differences on
NAT handling ?

One big difference is bridge interfaces handling, as physical interfaces
cannot get matched using -i/-o switches anymore (br0 is seen through
them) so you have to use physdev match.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: an annoying question

[Richard Bown]

On Wed, 2004-02-11 at 22:14, Cedric Blancher wrote:
> Le mer 11/02/2004 à 22:53, Richard Bown a écrit :
> > I suspect from the results I've seen running 2.6.2 with iptables-1.2.9
> > that the handling of DNAT & SNAT is very different.
> 
> Afaik, from a user point of vue, there's no difference between 2.4 and
> 2.6. I'm using a 2.6.1 kernel on which all the scripts I've written for
> 2.4 kernels are working just the way they did before, for filtering,
> mangling and nating...
> 
> What kind of results makes you believe there are major differences on
> NAT handling ?
> 
Hi Cedric
I'm using MDK 9.2 and iptables-1.2.9-4mdk plus shorewall 1.4.8-3mdk with
kernel 2.4.22-26mddk


when trying to run with kernel -2.6.2 shorewall stopped after an iptable
invalid argument o n a rule starting DNAT.
That rule was hashed out and all rules loaded , until the masq section
which again halted shorewall.
I tried an iptables -F to flush out all rules and allow networking but
no avail.
I really would like to knoqw whats happening so I understand what to do.

Richard 
> One big difference is bridge interfaces handling, as physical interfaces
> cannot get matched using -i/-o switches anymore (br0 is seen through
> them) so you have to use physdev match.
-- 
Richard Bown <richard.bown@blueyonder.co.uk>

RE: an annoying question

[Carl Farrington]

If you've got patched netfilter code (possibly pptp_nat helpers with it being shorewall) it might be that you need to recompile the iptables userspace tools. I had to do this as I was getting : Invalid Argument.

> -----Original Message-----
> From: Richard Bown [mailto:richard.bown@blueyonder.co.uk]
> Sent: 12 February 2004 00:11
> To: Cedric Blancher
> Cc: netfilter@lists.netfilter.org
> Subject: Re: an annoying question
> 
> On Wed, 2004-02-11 at 22:14, Cedric Blancher wrote:
> > Le mer 11/02/2004 à 22:53, Richard Bown a écrit :
> > > I suspect from the results I've seen running 2.6.2 with iptables-1.2.9
> > > that the handling of DNAT & SNAT is very different.
> >
> > Afaik, from a user point of vue, there's no difference between 2.4 and
> > 2.6. I'm using a 2.6.1 kernel on which all the scripts I've written for
> > 2.4 kernels are working just the way they did before, for filtering,
> > mangling and nating...
> >
> > What kind of results makes you believe there are major differences on
> > NAT handling ?
> >
> Hi Cedric
> I'm using MDK 9.2 and iptables-1.2.9-4mdk plus shorewall 1.4.8-3mdk with
> kernel 2.4.22-26mddk
> 
> 
> when trying to run with kernel -2.6.2 shorewall stopped after an iptable
> invalid argument o n a rule starting DNAT.
> That rule was hashed out and all rules loaded , until the masq section
> which again halted shorewall.
> I tried an iptables -F to flush out all rules and allow networking but
> no avail.
> I really would like to knoqw whats happening so I understand what to do.
> 
> Richard
> > One big difference is bridge interfaces handling, as physical interfaces
> > cannot get matched using -i/-o switches anymore (br0 is seen through
> > them) so you have to use physdev match.
> --
> Richard Bown <richard.bown@blueyonder.co.uk>
> 

Re: an annoying question

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]

On Thu, 2004-02-12 at 02:10, Richard Bown wrote:
> On Wed, 2004-02-11 at 22:14, Cedric Blancher wrote:
> > Le mer 11/02/2004 à 22:53, Richard Bown a écrit :
> > > I suspect from the results I've seen running 2.6.2 with iptables-1.2.9
> > > that the handling of DNAT & SNAT is very different.
> > 
> > Afaik, from a user point of vue, there's no difference between 2.4 and
> > 2.6. I'm using a 2.6.1 kernel on which all the scripts I've written for
> > 2.4 kernels are working just the way they did before, for filtering,
> > mangling and nating...
> > 
> > What kind of results makes you believe there are major differences on
> > NAT handling ?
> > 
> Hi Cedric
> I'm using MDK 9.2 and iptables-1.2.9-4mdk plus shorewall 1.4.8-3mdk with
> kernel 2.4.22-26mddk
> 
> 
> when trying to run with kernel -2.6.2 shorewall stopped after an iptable
> invalid argument o n a rule starting DNAT.
> That rule was hashed out and all rules loaded , until the masq section
> which again halted shorewall.
Sounds like your kernel config doesn't have MASQ and/or NAT support. You
need to recompile the kernel with those options included.

> I tried an iptables -F to flush out all rules and allow networking but
> no avail.
> I really would like to knoqw whats happening so I understand what to do.
> 
> Richard 
> > One big difference is bridge interfaces handling, as physical interfaces
> > cannot get matched using -i/-o switches anymore (br0 is seen through
> > them) so you have to use physdev match.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]