Iptables não carrega a tabela nat [RESOLVIDO]

marinho.fs
(usa Ubuntu)

Enviado em 28/12/2011 - 16:24h

Estou tentando refazer um servidor Squid aqui na empresa onde trabalho, só que toda vez que executo as regras do firewall de um script ja montado, que inclusive esta em execução no servidor antigo, o meu iptables da a seguinte mensagem:

"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@ INICIANDO DO FIREWALL @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


LIMPANDO AS REGRAS DO IPTABLES ------------------------ OK
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
LIBERANDO ACESSO INTERNO AO SERVIDOR------------------- OK
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ATVIANDO FIREWALL MASCARADO --------------------------- OK
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
ATIVANDO CONECTIVIDADE SOCIAL ------------------------- OK
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
ATIVANDO SQUID ---------------------------------------- OK
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
CARREGANDO PORTAS INTERNAS ---------------------------- OK
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
CARREGANDO PORTAS EXTERNA ----------------------------- OK
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
REDIRECT WTS ------------------------------------------ OK
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.8: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.
iptables: No chain/target/match by that name.

##################################
# FIREWALL CARREGADO COM SUCESSO #
##################################


"

Pelo que andei pesquisando isto tem haver com o iptables não conseguir carregar a tabela 'nat' como consigo resolver este problema???

phrich
(usa Slackware)

Enviado em 28/12/2011 - 16:40h

modprobe nf_nat

modprobe iptable_nat

Testa ai

marinho.fs
(usa Ubuntu)

Enviado em 28/12/2011 - 16:42h

Saida do comando:

/sbin/modprobe: line 1: 3: command not found

phrich
(usa Slackware)

Enviado em 28/12/2011 - 16:45h

Talvez seu iptables não esteja "habilitado" no kernel, qual distro vc usa?

marinho.fs
(usa Ubuntu)

Enviado em 28/12/2011 - 16:47h

Ubuntu server 11.04

uname -ar: Linux proxy 2.6.38-8-generic-pae #42-Ubuntu SMP Mon Apr 11 05:17:09 UTC 2011 i686 i686 i386 GNU/Linux

phrich
(usa Slackware)

Enviado em 28/12/2011 - 16:52h

Já tentou o comando "apt-get install iptables" ?

saitam
(usa Slackware)

Enviado em 28/12/2011 - 17:26h

instale o iptables
#apt-get install iptables

depois de instalado execute whereis iptables para saber o local que foi instalado e o binário do iptables.

teste no terminal digitando:
iptables e /sbin/iptables seguido de uma regra de seu script para teste, em seguida adapte no seu script.

se ainda não funcionar, poste seu script de firewall aqui para podermos analisarmos.

marinho.fs
(usa Ubuntu)

Enviado em 28/12/2011 - 18:16h

Ja estava instalado o iptables com o apt-get install

e continua acontecendo a mesma coisa

iptables v1.4.10: can't initialize iptables table `nat': Exec format error
Perhaps iptables or your kernel needs to be upgraded.


#!/bin/sh
clear
echo
echo
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@@@ INICIANDO DO FIREWALL @@@@@@@@@@"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo
echo
sleep 1
#==============================================================
echo " LIMPANDO AS REGRAS DO IPTABLES ------------------------ OK"

ipt="/sbin/iptables"
int_lan="eth2"
int_ext="eth1"

echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /sbin/modprobe ip_conntrack_sip
echo 3 > /sbin/modprobe ip_nat_sip

$ipt -F
$ipt -X
$ipt -F -t nat
#===============================================================
echo " LIBERANDO ACESSO INTERNO AO SERVIDOR------------------- OK"

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -s 0/0 -p udp -m multiport --sport 53 -j ACCEPT
$ipt -A INPUT -s 0/0 -p tcp -m multiport --sport 20,21,22,25,80,110,443,8444 -j ACCEPT
$ipt -A INPUT -s 0/0 -p tcp -m multiport --dport 20,21,22,25,80,110,443,8444 -j ACCEPT

#===============================================================

echo " ATVIANDO FIREWALL MASCARADO --------------------------- OK"
$ipt -t nat -A POSTROUTING -s 192.168.255.0/21 -o $int_ext -j MASQUERADE
$ipt -t nat -A POSTROUTING -s 192.168.254.0/21 -o $int_ext -j MASQUERADE

#===============================================================

echo " ATIVANDO CONECTIVIDADE SOCIAL ------------------------- OK"



$ipt -t nat -I PREROUTING -d 200.223.17.180/255.255.0.0 -j ACCEPT
$ipt -t nat -I PREROUTING -d 200.201.173.168/255.255.0.0 -j ACCEPT
$ipt -t nat -I PREROUTING -d 200.212.51.71/255.255.0.0 -j ACCEPT
#===============================================================

echo " ATIVANDO SQUID ---------------------------------------- OK"
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.8 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.6 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.249 -p tcp --dport 8085 -j ACCEPT ####
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.253 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.58 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.53 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.26 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.20 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.255.27 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -i eth2 -s 192.168.254.50 -p tcp --dport 80 -j ACCEPT
$ipt -t nat -A PREROUTING -s 192.168.255.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
$ipt -t nat -A PREROUTING -s 192.168.254.0/21 -p tcp --dport 80 -j REDIRECT --to-port 3128
#===============================================================

echo " CARREGANDO PORTAS INTERNAS ---------------------------- OK"
$ipt -A INPUT -s 127.0.0.1 -j ACCEPT
$ipt -A INPUT -s 192.168.255.0/21 -j ACCEPT
$ipt -A INPUT -s 192.168.254.0/21 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 1521 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 1522 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 3128 -j ACCEPT

#===============================================================

echo " CARREGANDO PORTAS EXTERNA ----------------------------- OK"

$ipt -A INPUT -p tcp -i $int_lan --dport 5060 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5061 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5060 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5061 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5001 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5001 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 1521 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 1521 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 1522 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 1522 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 3389 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 20 -j ACCEPT
$ipt -A INPUT -p tCP -i $int_lan --dport 21 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 8444 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5003 -j ACCEPT
$ipt -A INPUT -p udp -i $int_ext --dport 5003 -j ACCEPT
$ipt -A INPUT -p udp -i $int_ext --dport 5004 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5004 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5005 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5005 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5006 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5006 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 21 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 222 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 443 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5275 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 8085 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 8085 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5190 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5190 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5191 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5191 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 5060 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 5060 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 9080 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_lan --dport 9080 -j ACCEPT
$ipt -A FORWARD -p udp -m udp --dport 10000:20000 -j ACCEPT
$ipt -A FORWARD -p udp -m udp --dport 5060 -j ACCEPT
$ipt -A FORWARD -p tcp -m tcp --dport 5060 -j ACCEPT
$ipt -A INPUT -p tcp -i $int_ext --dport 3128 -j ACCEPT
echo " REDIRECT WTS ------------------------------------------ OK"
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 1521 -j DNAT --to-destination 192.168.254.4:1521
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 1522 -j DNAT --to-destination 192.168.255.20:1521
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 8014 -j DNAT --to-destination 192.168.255.14:80
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 5190 -j DNAT --to-destination 192.168.254.20:80
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 9080 -j DNAT --to-destination 192.168.255.249:80
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 5191 -j DNAT --to-destination 192.168.255.15:80
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 8085 -j DNAT --to-destination 192.168.255.249:8085
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.255.5:3389
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 77 -j DNAT --to-destination 192.168.255.5:3389
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 5060 -j DNAT --to-destination 192.168.255.6:80
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 9091 -j DNAT --to-destination 192.168.255.6:9091
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 9090 -j DNAT --to-destination 192.168.255.6:9090
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to-destination 192.168.255.15:5222
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 5275 -j DNAT --to-destination 192.168.255.15:5275
$ipt -t nat -A PREROUTING -i eth1 -p tcp --dport 5190 -j DNAT --to-destination 192.168.254.20:80
$ipt -A OUTPUT -p tcp --syn -j ACCEPT
echo
echo "##################################"
echo "# FIREWALL CARREGADO COM SUCESSO #"
echo "##################################"
echo

phrich
(usa Slackware)

Enviado em 28/12/2011 - 20:01h

Dê uma olhada em como compilar o kernel, daí vc pode "mexer" nas opções do iptables, talvez resolva para vc...

saitam
(usa Slackware)

Enviado em 28/12/2011 - 20:38h

tente carregar os módulos do iptables
coloque no início do script de firewall

#carrega módulos

/sbin/modprobe ip_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_queue

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_tables

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_nat

/sbin/modprobe iptable_mangle

/sbin/modprobe ipt_state

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_multiport

/sbin/modprobe ipt_mac

/sbin/modprobe ipt_string

 

marinho.fs
(usa Ubuntu)

Enviado em 29/12/2011 - 07:47h

Saida do /sbin/modprobe

/sbin/modprobe: line 1: 3: command not found

Eu estou achando que o problema esta no modprobe por que até quando coloco o comando puro ele da esse erro, e pelo que e andei lendo ele que carrega os módulos do iptables

phrich
(usa Slackware)

Enviado em 29/12/2011 - 08:55h

Cara, se isso for uma instalação nova, instale novamente, do zero, pq talvez vc possa ter cometido algum erro durante a instalação.