| View previous topic :: View next topic |
| Author |
Message |
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
 Posted: Tue Oct 18, 2005 9:31 pm Post subject: iptables: No chain/target/match by that name |
 |
|
Hi!
I got these error (iptables: No chain/target/match by that name) trying apply guarddog changes. I've read some docs and:
1) compiled all iptables options into the kernel
| Code: |
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_ARPD=y
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=y
CONFIG_IP_TCPDIAG=y
CONFIG_IP_TCPDIAG_IPV6=y
CONFIG_TCP_CONG_ADVANCED=y
#
# TCP congestion control
#
CONFIG_TCP_CONG_BIC=y
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
CONFIG_TCP_CONG_HSTCP=m
CONFIG_TCP_CONG_HYBLA=m
CONFIG_TCP_CONG_VEGAS=m
CONFIG_TCP_CONG_SCALABLE=m
#
# IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
CONFIG_IPV6=y
# CONFIG_IPV6_PRIVACY is not set
# CONFIG_INET6_AH is not set
# CONFIG_INET6_ESP is not set
# CONFIG_INET6_IPCOMP is not set
# CONFIG_INET6_TUNNEL is not set
# CONFIG_IPV6_TUNNEL is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
#
# IPv6: Netfilter Configuration (EXPERIMENTAL)
#
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
#
# SCTP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_SCTP is not set
# CONFIG_ATM is not set
# CONFIG_BRIDGE is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
CONFIG_LLC=m
# CONFIG_LLC2 is not set
CONFIG_IPX=m
CONFIG_IPX_INTERN=y
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
CONFIG_WAN_ROUTER=m
# CONFIG_NET_SCHED is not set
# CONFIG_NET_SCH_CLK_JIFFIES is not set
# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set
# CONFIG_NET_SCH_CLK_CPU is not set
CONFIG_NET_CLS_ROUTE=y
|
2) reemerged iptable And no results. Errors in iptables script? Something else... I don't know what can I do anymore? Any others options must br checked on in kernel config?
--
LeHardi
Last edited by LeHardi on Wed Oct 19, 2005 12:06 am; edited 1 time in total |
|
| Back to top |
|
 |
geeojr
n00b
Joined: 11 Feb 2003
Posts: 15
Location: Missouri, USA
|
| Posted: Tue Oct 18, 2005 9:40 pm Post subject: Re: iptables: No chain/target/match by that name |
|
|
| LeHardi wrote: | | I got these error (iptables: No chain/target/match by that name) trying apply guarddog changes. |
You compiled netfilter as modules. Have you checked that the appropriate modules are loaded? What is the output of
|
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Tue Oct 18, 2005 9:59 pm Post subject: Re: iptables: No chain/target/match by that name |
|
|
| geeojr wrote: | | LeHardi wrote: | | I got these error (iptables: No chain/target/match by that name) trying apply guarddog changes. |
You compiled netfilter as modules. Have you checked that the appropriate modules are loaded? What is the output of
|
It is:
| Code: |
Rincewind bin # lsmod
Module Size Used by
ip_nat_irc 3008 0
ip_nat_ftp 4032 0
iptable_mangle 3200 1
ipt_LOG 7424 0
ipt_MASQUERADE 4160 1
iptable_nat 23996 4 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE
ipt_TOS 2880 0
ipt_REJECT 5248 0
ip_conntrack_irc 72112 1 ip_nat_irc
ip_conntrack_ftp 72816 1 ip_nat_ftp
ipt_state 2368 0
ip_conntrack 45276 7 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
iptable_filter 3328 0
ip_tables 21696 8 iptable_mangle,ipt_LOG,ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,iptable_filter
nvidia 4052860 0
eagle_usb 125312 0
|
--
LeHardi |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Tue Oct 18, 2005 10:41 pm Post subject: |
|
|
And there is set of my iptables rules. Script was generated from [http://easyfwgen.morizot.net/gen/
Maybe it can help...
code]
!/bin/sh
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
INET_IFACE="ppp0"
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.0.1"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
# INPUT Chain
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
-j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "
echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
echo "Load rules for nat table ..."
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
echo "Load rules for mangle table ... "
[/code]
--
LeHardi
Last edited by LeHardi on Wed Oct 19, 2005 12:07 am; edited 1 time in total |
|
| Back to top |
|
|
geeojr
n00b
Joined: 11 Feb 2003
Posts: 15
Location: Missouri, USA
|
| Posted: Tue Oct 18, 2005 11:09 pm Post subject: |
|
|
| Post the full output from running this script. That will help us narrow down the offending line(s). |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Tue Oct 18, 2005 11:36 pm Post subject: |
|
|
| geeojr wrote: | | Post the full output from running this script. That will help us narrow down the offending line(s). |
So here it is:
| Code: |
Rincewind init.d # ./iptables start
Loading kernel modules ...
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Process FORWARD chain ...
iptables: No chain/target/match by that name
Process OUTPUT chain ...
iptables: No chain/target/match by that name
Load rules for nat table ...
Load rules for mangle table ...
|
--
LeHardi |
|
| Back to top |
|
|
geeojr
n00b
Joined: 11 Feb 2003
Posts: 15
Location: Missouri, USA
|
| Posted: Wed Oct 19, 2005 12:29 am Post subject: |
|
|
The trick at this point is to figure out which $IPT line is the problem. I don't see any obvious patterns. Here are my ideas, the last one is the best. Try it first.
1. Try uncommenting all of the "# /sbin/modprobe <modules>" lines at the top of the script. Maybe one isn't being autoloaded.
2. I ran this script on a machine I have iptables compiled into the kernel and it ran without problems. If you have the option to re-compile with iptables compiled into the kernel, that might help too. BTW, which kernel are you running??
3. Edit your script; let's make it so that we can see which line causes the error. Find the line which reads
| Code: | | IPT="/sbin/iptables" |
change it to read
| Code: | IPT="iptables"
function iptables() {
echo "${@}"
/sbin/iptables "${@}"
} |
This will output each command as it is run. The lines which are causing the errors will display before each error. Then we can fix that problem. |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Wed Oct 19, 2005 11:50 am Post subject: |
|
|
| geeojr wrote: |
3. Edit your script; let's make it so that we can see which line causes the error. Find the line which reads
| Code: | | IPT="/sbin/iptables" |
change it to read
| Code: | IPT="iptables"
function iptables() {
echo "${@}"
/sbin/iptables "${@}"
} |
This will output each command as it is run. The lines which are causing the errors will display before each error. Then we can fix that problem. |
Step 3. It shows that 2 modules aren't loaded: multiport and ipt_unclean.
| Code: |
Loading kernel modules ...
FATAL: Module multiport not found.
FATAL: Module ipt_unclean not found.
|
Uncomenting lines from iptables doesn't show anything. My kernel is 2.6.13-r3. So have I missed some options in kernel config. I checked all iptables and routing options on, I think. So what's missing?
--
Lehardi |
|
| Back to top |
|
|
geeojr
n00b
Joined: 11 Feb 2003
Posts: 15
Location: Missouri, USA
|
| Posted: Wed Oct 19, 2005 12:04 pm Post subject: |
|
|
| LeHardi wrote: | | Code: |
Loading kernel modules ...
FATAL: Module multiport not found.
FATAL: Module ipt_unclean not found.
|
|
Could you post the full output of the script to give a better perspective? |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Wed Oct 19, 2005 8:37 pm Post subject: |
|
|
| geeojr wrote: | | LeHardi wrote: | | Code: |
Loading kernel modules ...
FATAL: Module multiport not found.
FATAL: Module ipt_unclean not found.
|
|
Could you post the full output of the script to give a better perspective? |
OK There is a full output:
| Code: |
Rincewind init.d # ./iptables
Loading kernel modules ...
FATAL: Module multiport not found.
FATAL: Module ipt_unclean not found.
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
iptables: No chain/target/match by that name
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Load rules for mangle table ...
|
--
LeHardi |
|
| Back to top |
|
|
geeojr
n00b
Joined: 11 Feb 2003
Posts: 15
Location: Missouri, USA
|
| Posted: Wed Oct 19, 2005 8:55 pm Post subject: |
|
|
| Code: | IPT="iptables"
function iptables() {
echo "${@}"
/sbin/iptables "${@}"
} |
Is this still in your script?? you should have very verbose output with this change. This is what I'd like to see the output of. |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Wed Oct 19, 2005 9:08 pm Post subject: |
|
|
| geeojr wrote: | | Code: | IPT="iptables"
function iptables() {
echo "${@}"
/sbin/iptables "${@}"
} |
Is this still in your script?? you should have very verbose output with this change. This is what I'd like to see the output of. |
Yes it is. I copied and pasted it to avoid making any mistakes (especially syntax nature). But, in this case, it caused appearing not very verbose output, but 2 additional error messages about loading modules only. Maybe it's weird but it is.
EDITED: unfortunately modules don't cause this situation: I commented ipt_unclean - this option is probably removed from last 2.6.x series (as I read in docs). Next I changed multiport to ipt_multiport - these two changes made that errors about loading modules disapeared. But it's dead end and changes nothing about my problem.
--
LeHardi |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Thu Oct 20, 2005 1:31 pm Post subject: |
|
|
I've found rule that causes this error. It's
| Code: |
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
|
What is this rule for? Does it play important role in iptables? What's wrong with it and what way it may be corrected?
--
LeHardi |
|
| Back to top |
|
|
LeHardi
n00b
Joined: 02 Oct 2005
Posts: 37
|
| Posted: Thu Oct 20, 2005 7:55 pm Post subject: |
|
|
| LeHardi wrote: | NPUT -m pkttype --pkt-type broadcast -j DROP
[/code]
What is this rule for? Does it play important role in iptables? What's wrong with it and what way it may be corrected?
--
LeHardi |
I added line in iptables script to load ipt-pkttype module and error disapeared. Unfortunately iptables still doesn't work, when it is turned on it breaks all Internet connections. Is there any very simple set of filtering rules to check if iptables work OK? Any suggestions?
Applying rules with the guarddog doesn't change this situation and iptables stops all Internet traffic too.
--
LeHardi |
|
| Back to top |
|
|
|
Networking & Security
