Arch Linux

ouafnico

Member

Registered: 2014-10-30

Posts: 14

[RESOLVED] [IPTABLES] No chain/target/match by that name.

Hello

I'm trying to configure iptables on a little archlinux machine (pcduino).

I tried the little french tutorial to configure the base of iptables rules.

After these rules, I'm stuck (I put them to accept to don't eject me directly, I'll pass them to DROP after) :

# iptables -t filter -P INPUT ACCEPT
# iptables -t filter -P FORWARD ACCEPT
# iptables -t filter -P OUTPUT ACCEPT
# iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name.

I've got the conntrack library installed.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain f2b-postfix (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain f2b-sshd (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere

I know iptables but the versions I used to configure used "state" in place of "conntrack"

Someone have an idea ?

Thanks

Last edited by ouafnico (2014-10-31 07:54:59)

Spider.007

Member

Registered: 2004-06-20

Posts: 1,175

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

What does this command say after you get that error?

lsmod|grep tables

ouafnico

Member

Registered: 2014-10-30

Posts: 14

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

the command respond nothing.

How is it bad doc ?

branch

Member

Registered: 2014-03-16

Posts: 209

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

The rule you posted is correct, and it works on my installation.

Note that you do not need the conntrack library, but your kernel does need the nf_conntrack module. Since this is an ARM board we do not know the kernel configuration. Verify you have the module with:

find /usr/lib/modules -name 'nf_conntrack*'

ps. We like code tags

branch

Member

Registered: 2014-03-16

Posts: 209

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

I guess a better check would be:

cd /tmp
cp /proc/config.gz .
gunzip config.gz
grep CONNTRACK config

ouafnico

Member

Registered: 2014-10-30

Posts: 14

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

the find gives no results.

Your lasts commands gives :

# grep CONNTRACK config
CONFIG_NF_CONNTRACK=y
# CONFIG_NF_CONNTRACK_MARK is not set
# CONFIG_NF_CONNTRACK_SECMARK is not set
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
# CONFIG_NF_CONNTRACK_FTP is not set
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_CONNTRACK_IPV6 is not set

Leonid.I

Member

From: Aethyr

Registered: 2009-03-22

Posts: 999

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

the command respond nothing.

How is it bad doc ?

So, packet filtering lives in the kernel, but the modules are not loaded. This means that you just don't have a firewall.If you are using stock -ARCH kernel, did you reboot after an update?

---

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,229

Website

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

@ouafnico Please use code tags.

I guess a better check would be:

cd /tmp
cp /proc/config.gz .
gunzip config.gz
grep CONNTRACK config

Alternatively:

zgrep CONNTRACK /proc/config.gz

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

ouafnico

Member

Registered: 2014-10-30

Posts: 14

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

Yes I have reboot.

How can I load them ?

branch

Member

Registered: 2014-03-16

Posts: 209

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

You do not have modules, the "=y" (as opposed to "=m") in the kernel config lines means your firewall code is compiled into the kernel. However, I think your kernel does not have everything you need. I think you need CONFIG_NETFILTER_XT_MATCH_CONNTRACK.

Is this the stock kernel from archlinuxarm? If not, try the stock kernel. If so, fixing this involves recompiling your kernel with the added options.

This page from the Gentoo wiki shows the minimal kernel config options to run a stateful firewall http://wiki.gentoo.org/wiki/Iptables#Kernel

ouafnico

Member

Registered: 2014-10-30

Posts: 14

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

oh It's a kernel for pcduino.
I will ask directly the team concerned to add the good modules.

Thanks for your help,

netawater

Member

Registered: 2008-08-01

Posts: 36

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

make sure there is xt_nat.ko in your system, which is build by turn on CONFIG_IP_NF_NAT and CONFIG_NETFILTER_XT_NATin kernel configuration.

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,229

Website

Re: [RESOLVED] [IPTABLES] No chain/target/match by that name.

@netawater NAT is not (directly) related to connection tracking. Also, please leave the dead to rest in peace.

Closing.

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl