| View previous topic :: View next topic |
| Author |
Message |
Dirk.R.Gently
Guru
Joined: 29 Jan 2007
Posts: 546
Location: Titan
|
 Posted: Mon Jun 25, 2007 8:13 pm Post subject: [ SOLVED ] iptables: No chain/target/match by that name |
 |
|
Hello all.
I am frettingly having a couple difficulties with iptables, and am hoping those who have had more experience with these type of issues might be able to help. I've been wanting to setup additional internet security for a while now so Ive been followed the wiki guide. The problem started when I started trying to set a few of the rules, it would return:
iptables: No chain/target/match by that name
Here's the steps I did to arrive here:
I found this configuration guide for the 2.6.16+ kernels:
http://www.shorewall.net/kernel.htm
So my kernel is setup like this:
| Code: | Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter netlink interface
<M> Netfilter NFQUEUE over NFNETLINK interface
<M> Netfilter LOG over NFNETLINK interface
< > Netfilter connection tracking support
--- Netfilter Xtables support (required for ip_tables)
<M> "CLASSIFY" target support
<M> "DSCP" target support
<M> "MARK" target support
<M> "NFQUEUE" target Support
<M> "NFLOG" target support
<M> "TCPMSS" target support
<M> "comment" match support
<M> "DCCP" protocol match support
<M> "DSCP" match support
<M> "ESP" match support
<M> "length" match support
<M> "limit" match support
<M> "mac" address match support
<M> "mark" match support
<M> IPsec "policy" match support
<M> Multiple port match support
<M> "pkttype" packet type match support
<M> "quota" match support
<M> "realm" match support
<M> "sctp" protocol match support (EXPERIMENTAL)
<M> "statistic" match support
<M> "string" match support
<M> "tcpmss" match support
<M> "hashlimit" match support
[*] Network packet filtering framework (Netfilter) --->
IP: Netfilter Configuration --->
< > IP Userspace queueing via NETLINK (OBSOLETE)
<M> IP tables support (required for filtering/masq/NAT)
<M> IP range match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> AH match support
<M> TTL match support
<M> Owner match support
<M> address type match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support
<M> Packet mangling
<M> TOS target support
<M> ECN target support
<M> TTL target support
<M> raw table support (required for NOTRACK/TRACE)
<M> ARP tables support
<M> ARP packet filtering
<M> ARP payload mangling |
Then I modprobed and put into /etc/modules.autoload.d/kernel-2.6 ip_tables and iptable_filter. Then I inserted the starting ruleset into /etc/iptables.bak which is this:
| Code: | # Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue May 10 08:06:58 2005 |
Then when I tried iptables-restore to set the new ruleset it returned:
iptables-restore: line 34 failed
Thats the COMMIT line so that make me believe that this is missing a rule? If I tried to insert these rules via the command line this is what I see:
| Code: | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name
iptables -A open -p tcp --dport 22 -j ACCEPT
iptables: No chain/target/match by that name |
The only thing I can think of is that I need to load another module, this is all the modules of netfilter:
| Code: | /lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_addrtype.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_ah.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_ecn.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/arp_tables.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ip_tables.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_recent.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_ULOG.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/arpt_mangle.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_tos.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_ttl.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_REJECT.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/iptable_filter.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_ECN.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_LOG.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/arptable_filter.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_iprange.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/iptable_mangle.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_owner.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_TOS.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/ipt_TTL.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/ipv4/netfilter/iptable_raw.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/nfnetlink_queue.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_esp.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_hashlimit.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_pkttype.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_mac.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_dccp.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_quota.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_realm.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_DSCP.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_CLASSIFY.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_limit.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_MARK.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_sctp.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_dscp.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_string.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_mark.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_tcpmss.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/nfnetlink.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_comment.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/nfnetlink_log.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_NFLOG.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_length.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_multiport.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_TCPMSS.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_policy.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_statistic.ko
/lib/modules/2.6.22-rc5-macbook-coreduo/kernel/net/netfilter/xt_NFQUEUE.ko |
Do I need more than the ip_tables iptable_filter as modules? I've done a few kernel rebuilds lately. They only thing I haven't tried is building these modules into the kernel. What do you think possibly is wrong?
_________________
• Helpful Linux Tidbits
Last edited by Dirk.R.Gently on Mon Jul 02, 2007 9:53 pm; edited 1 time in total |
|
| Back to top |
|
 |
SnakeByte
Apprentice
Joined: 04 Oct 2002
Posts: 177
Location: Europe - Germany
|
| Posted: Mon Jun 25, 2007 8:44 pm Post subject: Re: iptables: No chain/target/match by that name |
|
|
| Dirk.R.Gently wrote: | Hello all...
| Code: | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name
iptables -A open -p tcp --dport 22 -j ACCEPT
iptables: No chain/target/match by that name |
|
The symbol NETFILTER_XT_MATCH_STATE is missing and also your post did not list the "state" match option.
Check again if it is missing in the menuconfig, or the .config file.
regards
PS:
I remember having a similar issue when moving to 2.6.21 |
|
| Back to top |
|
|
gsoe
Apprentice
Joined: 10 Dec 2006
Posts: 289
Location: Denmark
|
| Posted: Mon Jun 25, 2007 8:56 pm Post subject: |
|
|
Yes, these are the kernel-2.6.21 modules I use when it's needed to state- and protocol-match: | Code: | MODULES="x_tables ip_tables iptable-filter ipt_REJECT xt_tcpudp \
nf_conntrack nf_conntrack_ipv4 xt_state"
|
|
|
| Back to top |
|
|
Dirk.R.Gently
Guru
Joined: 29 Jan 2007
Posts: 546
Location: Titan
|
| Posted: Fri Jun 29, 2007 8:10 pm Post subject: |
|
|
Ah, I probably just simply needed connection tracking support it looks like in the Core Netfilter section.
| Code: |
â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â <M> Netfilter netlink interface â â
â â <M> Netfilter NFQUEUE over NFNETLINK interface â â
â â <M> Netfilter LOG over NFNETLINK interface â â
â â <M> Netfilter connection tracking support â â
â â --- Connection tracking flow accounting â â
â â --- Connection mark tracking support â â
â â [*] Connection tracking events (EXPERIMENTAL) â â
â â <M> SCTP protocol connection tracking support (EXPERIMENTAL) â â
â â <M> Amanda backup protocol support â â
â â <M> FTP protocol support â â
â â <M> H.323 protocol support (EXPERIMENTAL) â â
â â <M> IRC protocol support â â
â â <M> NetBIOS name service protocol support (EXPERIMENTAL) â â
â â <M> PPtP protocol support â â
â â <M> SANE protocol support (EXPERIMENTAL) â â
â â <M> SIP protocol support (EXPERIMENTAL) â â
â â <M> TFTP protocol support â â
â â <M> Connection tracking netlink interface (EXPERIMENTAL) â â
â â --- Netfilter Xtables support (required for ip_tables) â â
â â <M> "CLASSIFY" target support â â
â â <M> "CONNMARK" target support â â
â â <M> "DSCP" target support â â
â â <M> "MARK" target support â â
â â <M> "NFQUEUE" target Support â â
â â <M> "NFLOG" target support â â
â â <M> "NOTRACK" target support â â
â â <M> "TCPMSS" target support â â
â â <M> "comment" match support â â
â â <M> "connbytes" per-connection counter match support â â
â â <M> "connmark" connection mark match support â â
â â <M> "conntrack" connection tracking match support â â
â â <M> "DCCP" protocol match support â â
â â <M> "DSCP" match support â â
â â <M> "ESP" match support â â
â â <M> "helper" match support â â
â â <M> "length" match support â â
â â <M> "limit" match support â â
â â <M> "mac" address match support â â
â â <M> "mark" match support â â
â â <M> IPsec "policy" match support â â
â â <M> Multiple port match support â â
â â <M> "pkttype" packet type match support â â
â â <M> "quota" match support â â
â â <M> "realm" match support â â
â â <M> "sctp" protocol match support (EXPERIMENTAL) â â
â â <M> "state" match support â â
â â <M> "statistic" match support â â
â â <M> "string" match support â â
â â <M> "tcpmss" match support â â
â â <M> "hashlimit" match support â â
â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â |
I'll try this in the afternon.
_________________
• Helpful Linux Tidbits |
|
| Back to top |
|
|
Dirk.R.Gently
Guru
Joined: 29 Jan 2007
Posts: 546
Location: Titan
|
| Posted: Mon Jul 02, 2007 9:52 pm Post subject: |
|
|
Alright, that did it sorry to time waste.
_________________
• Helpful Linux Tidbits |
|
| Back to top |
|
|
lonegd
Apprentice
Joined: 07 Dec 2003
Posts: 185
Location: UK
|
| Posted: Sat Aug 11, 2007 10:59 am Post subject: iptables: No chain/target/match by that name |
|
|
I've just upgraded a kernel from 2.6.9 to 2.6.21 ( using make oldconfig ) and iptables is now not recognising the state?
| Code: |
chilli linux # grep -i state /var/lib/iptables/rules-save
[6642:458164] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
chilli linux # iptables -A INPUT -m state --state RELATED,ESTABLISHED
iptables: No chain/target/match by that name
chilli linux # cat /proc/net/ip_tables_matches
iprange
icmp
length
udplite
udp
tcp
chilli linux # grep -i state /usr/src/linux-2.6.21-gentoo-r4/.config
CONFIG_NETFILTER_XT_MATCH_STATE=y
|
There used to be a kernel option called CONFIG_IP_NF_MATCH_STATE=y but I cannot find it??
| Code: |
chilli linux # grep _NF_ .config
CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
# CONFIG_NF_CONNTRACK_MARK is not set
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CT_PROTO_SCTP is not set
CONFIG_NF_CONNTRACK_AMANDA=y
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=y
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_AH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_NF_NAT is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
# CONFIG_IP_NF_RAW is not set
# CONFIG_IP_NF_ARPTABLES is not set
|
_________________
Mark Cooper
http://pvrhw.goldfish.org/ - Open Source PVR Hardware Database |
|
| Back to top |
|
|
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Sat Aug 11, 2007 11:28 am Post subject: |
|
|
merged above post here.
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
didymos
Advocate
Joined: 10 Oct 2005
Posts: 4798
Location: California
|
| Posted: Sat Aug 11, 2007 11:38 am Post subject: Re: iptables: No chain/target/match by that name |
|
|
| lonegd wrote: |
| Code: |
CONFIG_NETFILTER_XT_MATCH_STATE=y
|
|
What about the rest of the CONFIG_NETFILTER_XT_* settings?
_________________
Thomas S. Howard |
|
| Back to top |
|
|
SinoTech
Advocate
Joined: 20 Mar 2004
Posts: 2579
Location: Neunkirchen / Saarland / Germany
|
| Posted: Sat Aug 11, 2007 11:39 am Post subject: |
|
|
There was a change somewhere between kernels 2.6.15 and 2.6.16. You now need to enable "xtables" support in the kernel, which is not done by "make oldonfig":
| Code: |
-> Networking
-> Networking support (NET [=y])
-> Networking options
-> Network packet filtering framework (Netfilter) (NETFILTER [=y])
-> Core Netfilter Configuration
<*> Netfilter Xtables support (required for ip_tables)
|
Cheers,
Sino
_________________
Help to answer the unanswered |
|
| Back to top |
|
|
lonegd
Apprentice
Joined: 07 Dec 2003
Posts: 185
Location: UK
|
| Posted: Sat Aug 11, 2007 11:56 am Post subject: |
|
|
Rest of the CONFIG_NETFILTER_XT_* settings ...
| Code: |
chilli linux # grep _XT_ .config
# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
CONFIG_NETFILTER_XT_MATCH_MARK=y
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
# CONFIG_NETFILTER_XT_MATCH_STRING is not set
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
|
_________________
Mark Cooper
http://pvrhw.goldfish.org/ - Open Source PVR Hardware Database |
|
| Back to top |
|
|
lonegd
Apprentice
Joined: 07 Dec 2003
Posts: 185
Location: UK
|
| Posted: Sat Aug 11, 2007 12:48 pm Post subject: Solved ... ?? |
|
|
OK, I appear to have 'fixed' my problem ....
I had to select:-
| Code: |
( ) Layer 3 Independent Connection tracking
(X) Layer 3 Dependent Connection tracking (OBSOLETE)
|
and iptables state matching is now working..
| Code: |
chilli ~ # grep state /proc/net/ip_tables_matches
state
chilli ~ # grep CONNTRACK /usr/src/linux-2.6.21-gentoo-r4/.config
CONFIG_NF_CONNTRACK_ENABLED=y
# CONFIG_NF_CONNTRACK_SUPPORT is not set
CONFIG_IP_NF_CONNTRACK_SUPPORT=y
CONFIG_IP_NF_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CONNTRACK_NETLINK is not set
|
_________________
Mark Cooper
http://pvrhw.goldfish.org/ - Open Source PVR Hardware Database |
|
| Back to top |
|
|
|
Networking & Security
