You are not logged in.
I had a simple firewall setup on my Arch router box. I'm trying to block some additional ports, and it looks like maybe a recent update has borked the tcp/udp extensions modules?
Running anything with
--dport
or
--destination-port
(or the source port variants) returns a "No chain/target/match by that name."
What is the module for the tcp/udp extensions? Is it one of these:
krovisser /etc/iptables :( # lsmod | grep ip
tulip 51905 0
ipt_MASQUERADE 2154 5
iptable_nat 3358 1
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
ipt_REJECT 2313 1
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
iptable_filter 1488 1
iptable_mangle 1584 0
ip_tables 17218 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 17351 6 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter,ipt_REJECT,iptable_mangle
krovisser /etc/iptables # lsmod | grep nf
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
Not sure what's going on, because using a bare `-p tcp` will work. So it should load the extension at that point.
Last edited by krovisser (2013-05-07 23:29:19)
Offline
--dport is available only when select protocol UDP or TCP (if another I don't know), then something like this will work:
# iptables -A OUTPUT -p tcp --dport 22 -j REJECT
Offline
Share with us the full command you're using; the syntax may have changed which could make it appear to be broken.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I fixed it. A restart did the trick. I'd like to know what modules tcp needs so I don't have to restart (kills my internet, torrents, etc.).
I tried 'iptables -A INPUT -p tcp --dport 49152 -j ACCEPT', which gave the message.
I eliminated everything and found that the --dport switch was giving the message. That is, 'iptables -A INPUT -p tcp -j ACCEPT' would work.
But again, it is resolved now after a restart. So I guess the question I am after is: How do you list all available modules in Arch?
Offline
I'm going to assume you installed a new kernel; you need to restart to load the new kernel.
If your system is currently running 3.0.73-1-lts and you upgrade to 3.1.0-1-lts then only the 3.1 modules will be on disk; you need to reboot to run the new kernel to be able to load those modules if they're not already loaded.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I'm going to assume you installed a new kernel; you need to restart to load the new kernel.
If your system is currently running 3.0.73-1-lts and you upgrade to 3.1.0-1-lts then only the 3.1 modules will be on disk; you need to reboot to run the new kernel to be able to load those modules if they're not already loaded.
Ah, yup. That must be it. I hadn't used the tcp extensions until just then, actually. They must not have been loaded.
Thanks.
Offline
In addtion to what fukawi2 said, if you are running systemd and you make a change to your iptables you can do:
iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables
The updates will then take place without having to restart the server.
Hope this helps.
R.
edit: this also assumes that the modules you need are loaded.
Last edited by ralvez (2013-05-08 02:12:26)
Offline