| View previous topic :: View next topic |
| Author |
Message |
wcg
Guru
Joined: 06 Jan 2009
Posts: 588
|
 Posted: Mon Jan 12, 2009 5:14 am Post subject: [SOLVED] iptables LOG target not recognized |
 |
|
iptables is reporting the LOG target as unrecognized.
iptables-1.4.0-r1
linux-2.6.27-gentoo-r7
CHOST=x86_64-pc-linux-gnu
It is enabled in the kernel config:
....
CONFIG_NETFILTER=y
....
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
....
CONFIG_IP_NF_TARGET_LOG=y
Example:
/sbin/iptables -A INPUT -i eth+ -s $MYHOST_IP \
-d \! $MY_SUBNET_BROADCAST -m limit -j LOG \
--log-ip-options --log-tcp-options
(Next iptables command in the firewall script
drops anything incoming on ethernet with
$MY_HOST_IP for source address.)
iptables reports:
iptables: No chain/target/match by that name
This happens for every iptables command with
a "-j LOG" target.
Works fine with iptables-1.3.8 and linux-2.6.26.5
on an x86 (unpatched vanilla sources).
?
(The only thing that looks maybe relevant in
USE= in make.conf is "-isdnlog". I disabled
it because I have no isdn interfaces installed.
I don't see how that would affect iptables.)
_________________
TIA
Last edited by wcg on Tue Jan 13, 2009 5:36 pm; edited 1 time in total |
|
| Back to top |
|
 |
wcg
Guru
Joined: 06 Jan 2009
Posts: 588
|
| Posted: Mon Jan 12, 2009 8:46 am Post subject: |
|
|
PS: system logger is sysklogd.
_________________
TIA |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3943
Location: Hamburg
|
| Posted: Mon Jan 12, 2009 9:54 am Post subject: |
|
|
Your're sure to put "-j LOG" to a specific filter rule ? What's about using a more general approach like this : | Code: | n22 /home/tfoerste # grep LOG /etc/kmyfirewall/kmyfirewall.sh
$MOD ipt_LOG
$IPT -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_IN: "
$IPT -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_OUT: "
$IPT -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_FWD: "
|
to enable/disable logging for a full chain ? |
|
| Back to top |
|
|
wcg
Guru
Joined: 06 Jan 2009
Posts: 588
|
| Posted: Mon Jan 12, 2009 4:24 pm Post subject: |
|
|
A lot of junk that a chain might handle
I don't want in my logs (netbios broadcasts
from winboxes, etc), so I prefer to use the
-j LOG target in specific rules for those kinds
of packets that I do want to see a report on.
But the '-j LOG" iptables target should be
recognized by iptables either way when
it is enabled in the kernel config for a
compiled and installed kernel.
I'll try reverting iptables to 1.3.8-r? and/or
a newer version from testing and see if that
fixes it. At least I should be able to find out
whether the problem is in the iptables source
or the kernel source. (Does not seem like
a compiler problem.)
_________________
TIA |
|
| Back to top |
|
|
tutaepaki
Apprentice
Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
|
| Posted: Mon Jan 12, 2009 7:20 pm Post subject: |
|
|
| Quote: | | iptables: No chain/target/match by that name |
Note the message. It may refer to chain, target, or match...
The chain and target are probably fine, and it's the rate limiting module missing.
Are you sure that module is set up in your kernel too?
Regards |
|
| Back to top |
|
|
wcg
Guru
Joined: 06 Jan 2009
Posts: 588
|
| Posted: Tue Jan 13, 2009 5:33 pm Post subject: |
|
|
[quote="tutaepaki"][quote]iptables: No chain/target/match by that name[/quote]
Note the message. It may refer to chain, target, or match...
The chain and target are probably fine, and it's the rate limiting module missing.
[quote]-m limit[/quote]
Are you sure that module is set up in your kernel too?
Regards[/quote]
Bingo. There are bunch of netfilter config options
that only show up in make menuconfig for kernel 2.6.27+
if you enable "Advanced Netfilter Configuration" before
descending into the next submenu. I did not have
that enabled, so I was not seeing them, and
CONFIG_XT_NETFILTER_MATCH_LIMIT was one of them
(along with a few others that I use).
Fixed.
_________________
TIA |
|
| Back to top |
|
|
tbaac
n00b
Joined: 02 Mar 2008
Posts: 24
Location: UK
|
| Posted: Sun May 24, 2009 12:48 am Post subject: |
|
|
| wcg wrote: |
(....)
Bingo. There are bunch of netfilter config options
that only show up in make menuconfig for kernel 2.6.27+
if you enable "Advanced Netfilter Configuration" before
descending into the next submenu. I did not have
that enabled, so I was not seeing them, and
CONFIG_XT_NETFILTER_MATCH_LIMIT was one of them
(along with a few others that I use).
Fixed. |
That's what I've been looking for 
The example firewall in http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12
(Code Listing 5.5: /etc/init.d/firewall) contains lines such as:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
under the comment "Catch portscanners".
So me being a relative noob think to myself "Cool, that sounds pretty neat." and include it in my firewall script and I got the error for "iptables: No chain/target/match by that name" for that line. Through elimination I worked out that it didn't like the "-m limit --limit......." option and found on the web articles suggesting things such as making sure that CONFIG_IP_NF_MATCH_LIMIT is enabled. (Presumably now known as CONFIG_XT_NETFILTER_MATCH_LIMIT).
I've just been over at the gentoo kernels page trying to find an alternative to gentoo-sources that had the extra limit functionality included.
I found this thread and it solved my problem, but could someone with a bit of knowledge add a reference to "Advanced Netfilter Configuration" to the gentoo wiki articles please? (Such as http://www.gentoo-wiki.info/HOWTO_Iptables_and_stateful_firewalls and http://www.gentoo-wiki.info/HOWTO_Iptables_for_newbies, plus maybe http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12). It seems a shame to not include it in the kernel config parts of those articles and its likely to trip others up.
Thanks
p.s. I'm loving Gentoo. I've used it before but always gone back to something less complicated, possibly involving typing "apt-get"  ........... But this time I've got further and I've now got my laptop running Gentoo with everything except /boot setup with LUKS and LVM and running Fluxbox. I got the bcm4318 wireless working today without ndiswrapper and using WPA, something which I didn't managed with Kubuntu. This is probably nothing to you guys but I'm feeling really chuffed. 
Anyway, thanks. |
|
| Back to top |
|
|
|
Networking & Security
