Arch Linux

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

[Solved] Missing iptables modules

In an attempt to secure my Arch machine, I've discovered that I am missing several iptables modules that are "supposed" to be there.
Here is the list of available modules.

$ sudo cat /proc/net/ip_tables_matches 
udplite
udp
tcp
icmp

As a major n00b in the iptables (and networking), this was the first place I've looked.

Kernel: 3.19.2-1-ck
Iptables: v1.4.21

I can find more information if needed.

Last edited by Jakkin (2015-03-23 03:07:44)

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith

mychris

Member

From: Munich

Registered: 2012-09-15

Posts: 68

Re: [Solved] Missing iptables modules

iptables will load all required modules dynamically. I think in /proc/net/ip_tables_matches are only the currently required modules:

# cat /proc/net/ip_tables_matches
icmp
# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 14898 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 21 packets, 3257 bytes)
 pkts bytes target     prot opt in     out     source               destination   
# iptables -A INPUT -p tcp --dport 17500 -j REJECT --reject-with icmp-port-unreachable
# iptables-save > /etc/iptables/iptables.rules
# cat /proc/net/ip_tables_matches 
udplite
udp
tcp
icmp
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 84 packets, 55360 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:17500 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 77 packets, 11364 bytes)
num   pkts bytes target     prot opt in     out     source               destination     

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

Re: [Solved] Missing iptables modules

iptables will load all required modules dynamically. I think in /proc/net/ip_tables_matches are only the currently required modules:

All right, but what about attempting to use modules like "multiport" or "state"? (I'm giving these as examples because they are commonly used.)
Iptables will repeatedly give errors like

iptables: No chain/target/match by that name.

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith

aiBo

Member

Registered: 2010-11-10

Posts: 50

Re: [Solved] Missing iptables modules

Would you mind posting the rules you try to use and that are creating this error?

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

Re: [Solved] Missing iptables modules

Would you mind posting the rules you try to use and that are creating this error?

I've been attempting to make this command work.

iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -j DROP

But it always ends in the error

iptables: No chain/target/match by that name.

It also occurs in commands that include the "-m state" arguement. Basically, the only commands that have worked are the ones including

udplite
udp
tcp
icmp

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith

aiBo

Member

Registered: 2010-11-10

Posts: 50

Re: [Solved] Missing iptables modules

What is the output if you try to load the module manually like this:

# modprobe -v xt_multiport

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

Re: [Solved] Missing iptables modules

What is the output if you try to load the module manually like this:

# modprobe -v xt_multiport

After running the command (first in user mode, then in sudo mode), both times the result was

modprobe: FATAL: Module xt_multiport not found.

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith

aiBo

Member

Registered: 2010-11-10

Posts: 50

Re: [Solved] Missing iptables modules

Is it possible that you have updated the kernel but not rebooted yet?

If you're not sure, compare the outputs of

pacman -Q linux

with

uname -r

and reboot if they differ.

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

Re: [Solved] Missing iptables modules

Is it possible that you have updated the kernel but not rebooted yet?

If you're not sure, compare the outputs of

pacman -Q linux

with

uname -r

and reboot if they differ.

Ah, I'd assume using a custom compiled kernel might cause an issue. Running kernel is linux-ck compiled from AUR.
EDIT: I'm recompiling the kernel now. I'm pretty sure the issue is from using the modprobe-db argument. It includes only previously probed modules in the kernel to cut down on compile time.

Last edited by Jakkin (2015-03-22 20:19:57)

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith

aiBo

Member

Registered: 2010-11-10

Posts: 50

Re: [Solved] Missing iptables modules

Get the installed version with "pacman -Q linux-ck" then.

The reason I'm recommending you to compare the versions of installed and running kernel is that you can't load any modules if you haven't rebooted since the upgrade/change. The modules directory for the running kernel aren't present any more, so you need to reboot. Doesn't matter which kernel flavours are involved.

mychris

Member

From: Munich

Registered: 2012-09-15

Posts: 68

Re: [Solved] Missing iptables modules

You need xt_multiport compiled into your kernel (or as module). linux-ck should take the stock arch linux kernel configuration. The module is compiled with this configuration.

$ gunzip -c "/proc/config.gz" |grep CONFIG_NETFILTER_XT_MATCH_MULTIPORT
$ ls -l /usr/lib/modules/`uname -r`/kernel/net/netfilter |grep multiport

If this module is not compile, compile it.

Yes, if you use modprobed-db you should add all netfilter modules. Maybe boot a stock arch linux kernel and modprobe everything in /usr/lib/modules/`uname -r`/kernel/net/netfilter to have all modules in the db.

EDIT:
minor clearification

Last edited by mychris (2015-03-22 20:54:50)

Jakkin

Member

From: 403 Forbidden

Registered: 2014-10-16

Posts: 18

Re: [Solved] Missing iptables modules

After a recompile of the kernel (this time including all the modules), iptables will accept and respond to commands including the module "-m" command.
Thanks for the help, mychris and aiBo.

---

Anyone who NEEDS to be TAUGHT how to interact with a computer probably shouldn't be allowed near one. -Sopwith