Missing iptables_nat

[Morkin]

I tried to configure my tinkerboard as a wireless router with TinkerOs1.4.
The installation of hostapd and dnsmasq worked well: I am able
to connect to my new local WLAN properly.

But I am not able to activate NAT for forwarding the
WLAN-requests to the ethernet. The command 
'sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
ends with an error message: 
'can't initialize iptables table `nat': Table does not exist (do you need to insmod?)'

Reinstalling iptables did not help.
In some forums (discussing this error) it is advised to rebuild the kernel,
as iptables_nat should be part of it, but without source code this
is not really an option...

Has anyone ideas how to solve this problem?
Or do I have to wait for TinkerOs 1.x and hope NAT will be included?

[frakka]

Are you sure that iptables service is up and running?

# sudo systemctl status iptables.service
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2017-03-24 23:53:55 UTC; 1 day 23h ago
  Process: 412 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
 Main PID: 412 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/iptables.service


  Else (start service and enable on boot):
# sudo systemctl start iptables.service
# sudo systemctl enable iptables.service



EDIT:
Stupid suggestion, it should work anyway.
Are you sure that the kernel module is loaded?

Verify with :
# lsmod | grep iptable
iptable_mangle         16384  0
iptable_nat            16384  1
nf_nat_ipv4            16384  1 iptable_nat
iptable_filter         16384  1
ip_tables              24576  3 iptable_mangle,iptable_filter,iptable_nat
x_tables               28672  7 ipt_REJECT,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,ipt_MASQUERADE,xt_conntrack


Or may be due to stale kernel, for example if you have just updated the kernel package but not yet rebooted the system.

[Morkin]

No, the kernel module is not loaded :-(
'sudo systemctl status iptables.service' results in the message
'iptables.service
  Loaded: not-found (Reason: No such file or directory)
  Active: inactive (dead)'

I can enter ' sudo iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT'
and the rule will be listed (sudo iptables --list).

Starting the service with 'sudo systemctl start iptables.service' does not work
(Unit iptables.service not found).

I have done 'apt-get update' and 'apt-get upgrade' and rebooted. Perhaps the Upgrade
was the problem?
I will try it again with an image from stock (V1.4) and post the results.

Are the services running in your environment???

[Morkin]

Now I tried it with a new image from scratch (20170223-tinker-board-linaro-jessie-alip-v14.img)
but got the same results: no support for NAT and no kernel modules for iptables :-(

[frakka]

I'm sorry, you're right.
 Just tested on my tinker and it simply can't work... There are no kernel modules on filesystem.


 Googling a little may be due to a design choice, they seems to be excluded from kernel. There are a similar bugs about linaro filled and fixed some years ago, so it couldn't be incidental.
 So I think there are no "quick & dirt" solutions...

[gooze74]

I'm sorry, you're right.
 Just tested on my tinker and it simply can't work... There are no kernel modules on filesystem.


 Googling a little may be due to a design choice, they seems to be excluded from kernel. There are a similar bugs about linaro filled and fixed some years ago, so it couldn't be incidental.
 So I think there are no "quick & dirt" solutions...

As far as I know, there is no way to have kernel modules support with the rockchip/linaro development image. 
This is the default netfilter kernel config section for the development image, so there is no need to load any module as they are included in your kernel:

Code:

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_DUP_IPV4 is not set
# CONFIG_NF_LOG_ARP is not set
# CONFIG_NF_LOG_IPV4 is not set
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NF_NAT_MASQUERADE_IPV4=y
# CONFIG_NF_NAT_PPTP is not set
# CONFIG_NF_NAT_H323 is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_AH is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_RPFILTER is not set
# CONFIG_IP_NF_MATCH_TTL is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_SYNPROXY is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_SECURITY is not set
# CONFIG_IP_NF_ARPTABLES is not set

I suppose it lacks some systemd service file for iptables ! It might works with this one :
https://github.com/Sirtea/iptables-init-debian
It appears to work on mine ???

Code:

root@linaro-alip:/home/linaro# service iptables status
● iptables.service - LSB: Iptables
  Loaded: loaded (/etc/init.d/iptables; generated; vendor preset: enabled)
  Active: active (exited) since Mon 2017-03-27 19:22:06 UTC; 6min ago
    Docs: man:systemd-sysv-generator(8)
 Process: 14556 ExecStart=/etc/init.d/iptables start (code=exited, status=0/SUC

[Morkin]

Could you please check if you are able to execute the following command without errors?
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thanks!

[frakka]

You can install missing systemd services installing the "iptables-persistent" package:

sudo apt-get install iptables-persistent

root@asus:~# systemctl status netfilter-persistent.service
● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Active: active (exited) since Sun 2016-05-22 00:31:31 CEST; 10 months 5 days ago
Main PID: 1035 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/netfilter-persistent.service

May 22 00:31:31 asus netfilter-persistent[1035]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
May 22 00:31:31 asus netfilter-persistent[1035]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
May 22 00:31:31 asus netfilter-persistent[1035]: Warning: skipping IPv6 (no rules to load)

Where "/usr/share/netfilter-persistent/plugins.d/15-ip4tables" simply runs iptables-save/restore.

But nat table is still missing on my TinkerOS (1.4 with updates but not dist-upgraded).

I thought that the missing module is something equivalent to which is named "nf_nat_ipv4" on my Arch linux desktop/server. I expected to find available module in something like "/lib/modules/`uname -r`" but it only contains broken ln and few modules.

[gooze74]

Could you please check if you are able to execute the following command without errors?
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thanks!

No error with your command with rockchip development image. However, I don't have wifi module working so you would need to build the wifi module for such kernel.

[Morkin]

With the new TinkerOs V1.6, iptables_nat should be integrated in the kernel.
But it seems that there are other kernel modules missing that I need for NAT.

The command 'sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
now results in the error message 'iptables: No chain/target/match by that name.'

So even with V1.6 it is not possible for me to configure a wireless router.