Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??

Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??

[Emilio Lombardo]

[-- Attachment #1: Type: text/plain, Size: 1575 bytes --]


----- Original Message ----- 
From: Emilio Lombardo 
To: netfilter@lists.netfilter.org ; rodrigo.garcia@gmail.com 
Sent: Wednesday, February 02, 2005 1:47 PM
Subject: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??


hi at all the List !
This is my first entry and i'm quite a newbie at all in netfilter iptables.... i'm working as a net administrator from Brazil so apologize by now for any english error i may do... ;-)
I have a Debian Linux distribution, the kernel 2.6.4 and we had the task of making varios simultaneos vpn gre connections 
because before we had a problem and couldn't make more than one pptp connection at a time 
passing by the firewall (iptables 1.2.7 version)
So what we did was upgrading to iptables 1.2.11 on kernel 2.4.26  and recompiling it whithin patch-o-matic and it worked out !
Now we got simultaneous and various vpn on gre protocol perfectly working passing by the firewall whitout any problem (and of course it was really the firewall because we tested the vpn's bypassing it and they worked.all toghether...)
Well...now when everithing looked working but than debugging the internal rules we saw that any attempt to add a "DNAT --to" always got an answer of 
Invalid Argument ..........the same rules that before was working ....!!!!!And here came the problem.....
How is it possible for us making both instances (The VPN's and the DNAT --to rules) work togheter...is there any linux guru...:-) who can lend a hand and help us to find a way out in this maze ?

Thanks a lot for any help!

Regards 
Emilio

[-- Attachment #2: "AVG certification" --]
[-- Type: text/plain, Size: 140 bytes --]

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.1 - Release Date: 27/1/2005

Re: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??

[Jason Opperisano]

On Wed, Feb 02, 2005 at 02:02:51PM -0200, Emilio Lombardo wrote:
> So what we did was upgrading to iptables 1.2.11 on kernel 2.4.26  and recompiling it whithin patch-o-matic and it worked out !
> Now we got simultaneous and various vpn on gre protocol perfectly working passing by the firewall whitout any problem (and of course it was really the firewall because we tested the vpn's bypassing it and they worked.all toghether...)
> Well...now when everithing looked working but than debugging the internal rules we saw that any attempt to add a "DNAT --to" always got an answer of 
> Invalid Argument ..........the same rules that before was working ....!!!!!And here came the problem.....
> How is it possible for us making both instances (The VPN's and the DNAT --to rules) work togheter...is there any linux guru...:-) who can lend a hand and help us to find a way out in this maze ?

it sounds like you didn't compile iptables *after* applying POM and
recompiling your kernel.  steps are:

apply patches from POM
recompile kernel
recompile iptables

-j

--
"Simpson, Homer Simpson, he's the greatest guy in his-tor-y. From
 the town of Springfield, he's about to hit a chestnut tree....D'oh!"
        --The Simpsons

Re: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??

[Emilio Lombardo]

thanks Jason :-)

this procedure you passed  was exactly what the people did....
I'm beginning to think that the bug could be originated from the fact that 
we installed the new iptables up on the other and probably this merging 
didn't fit good or some /bin directory of the old one still stands there
The idea was to remove the content of all the iptables and reinstall the new 
one with the apt-get after having deleted all manually
You guess it may work out ?
I hope so...:-)
Any suggestion is well accepted !

thanks again!!


----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, February 02, 2005 2:20 PM
Subject: Re: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??


> On Wed, Feb 02, 2005 at 02:02:51PM -0200, Emilio Lombardo wrote:
>> So what we did was upgrading to iptables 1.2.11 on kernel 2.4.26  and 
>> recompiling it whithin patch-o-matic and it worked out !
>> Now we got simultaneous and various vpn on gre protocol perfectly working 
>> passing by the firewall whitout any problem (and of course it was really 
>> the firewall because we tested the vpn's bypassing it and they worked.all 
>> toghether...)
>> Well...now when everithing looked working but than debugging the internal 
>> rules we saw that any attempt to add a "DNAT --to" always got an answer 
>> of
>> Invalid Argument ..........the same rules that before was working 
>> ....!!!!!And here came the problem.....
>> How is it possible for us making both instances (The VPN's and the 
>> DNAT --to rules) work togheter...is there any linux guru...:-) who can 
>> lend a hand and help us to find a way out in this maze ?
>
> it sounds like you didn't compile iptables *after* applying POM and
> recompiling your kernel.  steps are:
>
> apply patches from POM
> recompile kernel
> recompile iptables
>
> -j
>
> --
> "Simpson, Homer Simpson, he's the greatest guy in his-tor-y. From
> the town of Springfield, he's about to hit a chestnut tree....D'oh!"
>        --The Simpsons
>
>
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.1 - Release Date: 27/1/2005
>
> 



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.1 - Release Date: 27/1/2005

RE: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to rules.....!!??

[Gary W. Smith]

But did they recompile iptables against the correct kernel headers?  The
default compile of iptables will use the old headers that will contain
the old structure that is causing the problems in the first place.
Compile them against the ones that you modified with patch-o-matic.

This got me the first time as well some months ago.

Gary Smith

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Emilio Lombardo
> Sent: Wednesday, February 02, 2005 10:52 AM
> To: RODRlGO; netfilter@lists.netfilter.org; Jason Opperisano
> Subject: Re: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to
rules.....!!??
> 
> thanks Jason :-)
> 
> this procedure you passed  was exactly what the people did....
> I'm beginning to think that the bug could be originated from the fact
that
> we installed the new iptables up on the other and probably this
merging
> didn't fit good or some /bin directory of the old one still stands
there
> The idea was to remove the content of all the iptables and reinstall
the
> new
> one with the apt-get after having deleted all manually
> You guess it may work out ?
> I hope so...:-)
> Any suggestion is well accepted !
> 
> thanks again!!
> 
> 
> ----- Original Message -----
> From: "Jason Opperisano" <opie@817west.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Wednesday, February 02, 2005 2:20 PM
> Subject: Re: Fw: Upgrading kernel 2.4.26 cuts out DNAT --to
rules.....!!??
> 
> 
> > On Wed, Feb 02, 2005 at 02:02:51PM -0200, Emilio Lombardo wrote:
> >> So what we did was upgrading to iptables 1.2.11 on kernel 2.4.26
and
> >> recompiling it whithin patch-o-matic and it worked out !
> >> Now we got simultaneous and various vpn on gre protocol perfectly
> working
> >> passing by the firewall whitout any problem (and of course it was
> really
> >> the firewall because we tested the vpn's bypassing it and they
> worked.all
> >> toghether...)
> >> Well...now when everithing looked working but than debugging the
> internal
> >> rules we saw that any attempt to add a "DNAT --to" always got an
answer
> >> of
> >> Invalid Argument ..........the same rules that before was working
> >> ....!!!!!And here came the problem.....
> >> How is it possible for us making both instances (The VPN's and the
> >> DNAT --to rules) work togheter...is there any linux guru...:-) who
can
> >> lend a hand and help us to find a way out in this maze ?
> >
> > it sounds like you didn't compile iptables *after* applying POM and
> > recompiling your kernel.  steps are:
> >
> > apply patches from POM
> > recompile kernel
> > recompile iptables
> >
> > -j
> >
> > --
> > "Simpson, Homer Simpson, he's the greatest guy in his-tor-y. From
> > the town of Springfield, he's about to hit a chestnut tree....D'oh!"
> >        --The Simpsons
> >
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.300 / Virus Database: 265.8.1 - Release Date: 27/1/2005
> >
> >
> 
> 
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.1 - Release Date: 27/1/2005
>