# Problems with Shorewall

## lazloman

I upgraded my kernel from 2.6.20 to 2.6.21, and now shorewall is giving me fits. I've gone back a recompiled the kernel including iptables in the kernel not as modules, but I still get this error:

```

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

```

Can someone give me a hand with this?

----------

## magowiz

Could you post the IPTABLES options of your kernel .config file ? Maybe you miss something.

----------

## di1bert

Just make sure you have all the right stuff compiled in. I would still compile everything as modules for iptables though as it makes your life easier when troubleshooting.

To me it looks like you're missing the "state" option. Double check that and let us know how 

you get on...

-m

----------

## lazloman

Here's what I have:

```

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=y

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

# CONFIG_NETFILTER_NETLINK_LOG is not set

CONFIG_NF_CONNTRACK_ENABLED=y

CONFIG_NF_CONNTRACK_SUPPORT=y

# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set

CONFIG_NF_CONNTRACK=y

CONFIG_NF_CT_ACCT=y

CONFIG_NF_CONNTRACK_MARK=y

# CONFIG_NF_CONNTRACK_EVENTS is not set

# CONFIG_NF_CT_PROTO_SCTP is not set

# CONFIG_NF_CONNTRACK_AMANDA is not set

CONFIG_NF_CONNTRACK_FTP=y

# CONFIG_NF_CONNTRACK_H323 is not set

# CONFIG_NF_CONNTRACK_IRC is not set

# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set

# CONFIG_NF_CONNTRACK_PPTP is not set

# CONFIG_NF_CONNTRACK_SANE is not set

# CONFIG_NF_CONNTRACK_SIP is not set

# CONFIG_NF_CONNTRACK_TFTP is not set

# CONFIG_NF_CT_NETLINK is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y

CONFIG_NETFILTER_XT_TARGET_CONNMARK=y

CONFIG_NETFILTER_XT_TARGET_DSCP=y

CONFIG_NETFILTER_XT_TARGET_MARK=y

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y

CONFIG_NETFILTER_XT_TARGET_NFLOG=y

CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_DCCP=y

CONFIG_NETFILTER_XT_MATCH_DSCP=y

CONFIG_NETFILTER_XT_MATCH_ESP=y

CONFIG_NETFILTER_XT_MATCH_HELPER=y

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_MARK=y

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_QUOTA=y

CONFIG_NETFILTER_XT_MATCH_REALM=y

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STATISTIC=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y

#

# IP: Netfilter Configuration

#

# CONFIG_NF_CONNTRACK_IPV4 is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_AH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_TTL=y

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

```

----------

## Hu

This is a guess, but do you actually have a chain named FORWARD?  You have turned off one of the IP connection tracking options (# CONFIG_NF_CONNTRACK_IPV4 is not set), which makes me wonder if you have lost support for NAT of IPv4 traffic and thus lost the FORWARD chain.

----------

## thewtex

I had a similar problems, and after a few kernel recompiles, I followed the suggestion at the end of the Gentoo Kernel Upgrade Guide that say to copy the .config from the old kernel source to the new before starting make menuconfig.  That was a lot easier.

----------

## lazloman

```

which makes me wonder if you have lost support for NAT of IPv4 traffic

```

This might be it. I didn't include NAT in netfilter, because this box does not need it. I'll check the shorewall configs and make sure I'm not forwarding anything.

----------

## koan

I had the same issue and was just that I was missing "state" in the kernel netfilter settings.

----------

## lazloman

Which config option? I went through my config and I thought I had it set. I don't have it here now, but will check later.

thx

----------

## koan

Hello.

Below is the option that needs to be on and the dependencies.  It won't appear until the dependencies are on.  Personally, I enabled and compiled into the kernel everything in netfilter that wasn't experimental.

```
  │ Symbol: NETFILTER_XT_MATCH_STATE [=y]                                                                                                    │

  │ Prompt: "state" match support                                                                                                            │

  │   Defined at net/netfilter/Kconfig:586                                                                                                   │

  │   Depends on: NET && INET && NETFILTER && NETFILTER_XTABLES && (IP_NF_CONNTRACK || NF_CONNTRACK)                                         │

  │   Location:                                                                                                                              │

  │     -> Networking                                                                                                                        │

  │       -> Networking support (NET [=y])                                                                                                   │

  │         -> Networking options                                                                                                            │

  │           -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                                                             │

  │             -> Core Netfilter Configuration                                                                                              │

  │               -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
```

----------

## Hu

 *koan wrote:*   

> I had the same issue and was just that I was missing "state" in the kernel netfilter settings.

 

According to the configuration fragment he pasted, he already has the state match enabled and built-in: *lazloman wrote:*   

> 
> 
> ```
> CONFIG_NETFILTER_XT_MATCH_SCTP=y
> 
> ...

 

lazloman: please post the output of iptables-save -c so that we can see what tables your kernel knows about.

----------

## lazloman

I didn't know about this. Here you go:

```

# Generated by iptables-save v1.3.5 on Fri Aug  3 14:18:40 2007

*filter

:INPUT ACCEPT [2158480:2709680950]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1554814:736996555]

COMMIT

# Completed on Fri Aug  3 14:18:40 2007

```

----------

## Hu

That indicates you do have the FORWARD rule, but you do not have a nat table.  Assuming the output shown in your first post is accurate, something is inconsistent here.  As far as I know, the error shown in your first post means that at least one of these conditions must be true:

You are missing a FORWARD chain.  This is not the case, as your most recent post shows.

You are missing the state match.  This is not the case, as your post on Thu Jul 19, 2007 3:19 pm shows.

You are missing the ACCEPT target.  This is such a fundamental target that it cannot be omitted.

Thus, either I am wrong or your information is inconsistent.  I can see no way with the provided information that you could be experiencing a failure.  Is the configuration snippet that you posted taken from the /proc/config.gz of the kernel which is being used when you receive the iptables error?

If you are not doing masquerading and you do not have a NAT table, I doubt you will need a FORWARD chain.  Such a chain can be useful if you are bridging two networks without address translation, but so far you have not indicated that you intend to do that.  If you have no need for the FORWARD chain, you could just remove it from your firewall rules.

----------

