PDA

View Full Version : [ubuntu] Ubuntu problem with iptables won't add changes



xtrmsound
September 8th, 2010, 09:05 PM
Hi

I am trying to add squid to my server that runs Ubuntu 8.04 server edition. and set it as transparent.

I tried some guides. This one (http://www.ubuntugeek.com/how-to-setup-transparent-squid-proxy-server-in-ubuntu.html/comment-page-2#comment-36893)for example.

*network settings were set as the guides.

Everything seems great. But when I type the Iptables command it's like nothing is added to the /etc/iptables.up.rules only webmin adds lines.
I really want to see how adding these commands showing in webmin's linux firewall menu.


iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128After typing these commands nothing is showed in the file mentioned above and the webmin is still without any changed and of course it doesn't work.
.
Even the simple nat didn't work. only when I set in via webmin it worked and add the line for nat. The commands need to add port redirection but none are showed.

Maybe webmin is causing it?

Thanks

arrrghhh
September 8th, 2010, 09:15 PM
Are you issuing the commands with "sudo" in front? It's required to pass commands as root.

xtrmsound
September 8th, 2010, 09:20 PM
Before writing these commands I am in su mode

sudo su
writing password and then I can i do whatever I want without sudo everything.

Right?

File before writing the command:


# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010
# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010
# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010


After writing the commands above:


# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010
# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010
# Generated by iptables-save v1.3.8 on Wed Sep 8 15:46:50 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Sep 8 15:46:50 2010

arrrghhh
September 8th, 2010, 09:43 PM
I'd just use UFW. Or actually put sudo in front of the commands... it's never a good idea to sudo su. I didn't even think that worked in Ubuntu.

xtrmsound
September 8th, 2010, 09:51 PM
Tried with and without sudo same issue.

I am not looking for an alternative because iptables is a huge deal in Linux. And I want to learn it. I just want to know why it didn't add these lines.
Even in Ubuntu server 10.4 it doesn't add it.

Maybe it's because this guide (http://www.howtoforge.com/virtual-hosting-with-proftpd-and-mysql-ubuntu-8.04), It changed something crucial? Maybe webmin ?

Look at these lines that I run



/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
Thanks

arrrghhh
September 9th, 2010, 01:20 AM
Here's (https://help.ubuntu.com/community/IptablesHowTo) the documentation for iptables as it applies to Ubuntu...

If you're learning Linux for a job, you probably should learn something other than Ubuntu... Most companies don't run it, they use SLES or RHEL.

CharlesA
September 9th, 2010, 02:13 AM
For the rules to appear in the "Linux Firewall" area of Webmin, they need to be in /etc/iptables.up.rules

If you add rules manually with iptables, then they won't show up.

Running this:


sudo iptables -L

Will list all rules in effect.

arrrghhh
September 9th, 2010, 04:18 AM
For the rules to appear in the "Linux Firewall" area of Webmin, they need to be in /etc/iptables.up.rules

If you add rules manually with iptables, then they won't show up.

Running this:


sudo iptables -L

Will list all rules in effect.

Ha, thanks again Charles. This shows my ignorance of how iptables works... I've definitely seen that command before. I'm not sure why it slipped me! :redface:

xtrmsound
September 9th, 2010, 11:44 AM
Thanks

But still no go.



root@ubuntu:/home/almog# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ubuntu:/home/almog# iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
root@ubuntu:/home/almog# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



As you can see everything is the same. I can't see any new rule or anything changed.

Why? How can I fix it?

I will take the command and learn it to use it in a CLI mode. But still it would be great if someone can upload the command above in Webmin's interface.

And "arrrghhh" as you can see I am still learning it, I am sure in the future I will try these distros, But thanks.

CharlesA
September 9th, 2010, 12:28 PM
As far as I know, the iptables -L command lists only the filter chain by default. You need to run the command like so:


sudo iptables -L -t nat

Which returns:


Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

That iptables rule for NAT doesn't look right. I'll play around with setting it up via that guide and see what it looks like in webmin.

CharlesA
September 9th, 2010, 04:15 PM
I followed the guide and got it to work fine using 192.168.1.30/24 for eth0 and 192.168.2.1 for eth1.

I've attached iptables.up.rules and squid.conf that work for me inside conf.zip.

You need to set the ip address of any client to 192.168.2.xx/24 with a gateway of the squid server.

xtrmsound
September 9th, 2010, 09:54 PM
As far as I know, the iptables -L command lists only the filter chain by default. You need to run the command like so:


sudo iptables -L -t nat

Which returns:




root@ubuntu:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.1:3128
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.1:3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


This is what I am getting. So it does work.