You are not logged in.

Pages: 1

#1 2013-05-07 23:28:14

krovisser
Member
Registered: 2013-04-18
Posts: 31

iptables -p tcp/udp --dport no longer working

I had a simple firewall setup on my Arch router box. I'm trying to block some additional ports, and it looks like maybe a recent update has borked the tcp/udp extensions modules?

Running anything with 

--dport

or 

--destination-port

(or the source port variants) returns a "No chain/target/match by that name."

What is the module for the tcp/udp extensions? Is it one of these:

krovisser /etc/iptables :( # lsmod | grep ip
tulip                  51905  0
ipt_MASQUERADE          2154  5
iptable_nat             3358  1
nf_nat_ipv4             3568  1 iptable_nat
nf_nat                 15443  3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
ipt_REJECT              2313  1
nf_conntrack_ipv4       9166  4
nf_defrag_ipv4          1371  1 nf_conntrack_ipv4
nf_conntrack           68370  6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
iptable_filter          1488  1
iptable_mangle          1584  0
ip_tables              17218  3 iptable_filter,iptable_mangle,iptable_nat
x_tables               17351  6 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter,ipt_REJECT,iptable_mangle
krovisser /etc/iptables # lsmod | grep nf
nf_nat_ipv4             3568  1 iptable_nat
nf_nat                 15443  3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack_ipv4       9166  4
nf_defrag_ipv4          1371  1 nf_conntrack_ipv4
nf_conntrack           68370  6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4

Not sure what's going on, because using a bare `-p tcp` will work. So it should load the extension at that point.

Last edited by krovisser (2013-05-07 23:29:19)

Offline

#2 2013-05-07 23:44:16

hotvic
Member
Registered: 2013-02-11
Posts: 109

Re: iptables -p tcp/udp --dport no longer working

--dport is available only when select protocol UDP or TCP (if another I don't know), then something like this will work:

# iptables -A OUTPUT -p tcp --dport 22 -j REJECT

Offline

#3 2013-05-08 00:38:08

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,223
Website

Re: iptables -p tcp/udp --dport no longer working

Share with us the full command you're using; the syntax may have changed which could make it appear to be broken.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#4 2013-05-08 01:00:14

krovisser
Member
Registered: 2013-04-18
Posts: 31

Re: iptables -p tcp/udp --dport no longer working

I fixed it. A restart did the trick. I'd like to know what modules tcp needs so I don't have to restart (kills my internet, torrents, etc.).

I tried 'iptables -A INPUT -p tcp --dport 49152 -j ACCEPT', which gave the message.

I eliminated everything and found that the --dport switch was giving the message. That is, 'iptables -A INPUT -p tcp -j ACCEPT' would work.

But again, it is resolved now after a restart. So I guess the question I am after is: How do you list all available modules in Arch?

Offline

#5 2013-05-08 01:05:12

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,223
Website

Re: iptables -p tcp/udp --dport no longer working

I'm going to assume you installed a new kernel; you need to restart to load the new kernel.

If your system is currently running 3.0.73-1-lts and you upgrade to 3.1.0-1-lts then only the 3.1 modules will be on disk; you need to reboot to run the new kernel to be able to load those modules if they're not already loaded.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#6 2013-05-08 01:52:51

krovisser
Member
Registered: 2013-04-18
Posts: 31

Re: iptables -p tcp/udp --dport no longer working

fukawi2 wrote:

I'm going to assume you installed a new kernel; you need to restart to load the new kernel.

If your system is currently running 3.0.73-1-lts and you upgrade to 3.1.0-1-lts then only the 3.1 modules will be on disk; you need to reboot to run the new kernel to be able to load those modules if they're not already loaded.

Ah, yup. That must be it. I hadn't used the tcp extensions until just then, actually. They must not have been loaded.

Thanks.

Offline

#7 2013-05-08 02:10:25

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: iptables -p tcp/udp --dport no longer working

In addtion to what fukawi2 said, if you are running systemd and you make a change to your iptables you can do:

iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables

The updates will then take place without having to restart the server.
Hope this helps.

R.

edit: this also assumes that the modules you need are loaded. wink

Last edited by ralvez (2013-05-08 02:12:26)

Offline

Pages: 1

Board footer

Powered by FluxBB