# iptables: No chain/target/match by that name

## LeHardi

Hi!

I got these error  (iptables: No chain/target/match by that name) trying apply guarddog changes. I've read some docs and:

1) compiled all iptables options into the kernel

```

#

# Networking options

#

CONFIG_PACKET=y

CONFIG_PACKET_MMAP=y

CONFIG_UNIX=y

CONFIG_XFRM=y

CONFIG_XFRM_USER=m

CONFIG_NET_KEY=m

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_ASK_IP_FIB_HASH=y

# CONFIG_IP_FIB_TRIE is not set

CONFIG_IP_FIB_HASH=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_FWMARK=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_MULTIPATH_CACHED=y

CONFIG_IP_ROUTE_MULTIPATH_RR=m

CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m

CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m

CONFIG_IP_ROUTE_MULTIPATH_DRR=m

CONFIG_IP_ROUTE_VERBOSE=y

CONFIG_IP_PNP=y

CONFIG_IP_PNP_DHCP=y

CONFIG_IP_PNP_BOOTP=y

CONFIG_IP_PNP_RARP=y

CONFIG_NET_IPIP=m

CONFIG_NET_IPGRE=m

CONFIG_NET_IPGRE_BROADCAST=y

CONFIG_IP_MROUTE=y

CONFIG_IP_PIMSM_V1=y

CONFIG_IP_PIMSM_V2=y

CONFIG_ARPD=y

CONFIG_SYN_COOKIES=y

CONFIG_INET_AH=m

CONFIG_INET_ESP=m

CONFIG_INET_IPCOMP=m

CONFIG_INET_TUNNEL=y

CONFIG_IP_TCPDIAG=y

CONFIG_IP_TCPDIAG_IPV6=y

CONFIG_TCP_CONG_ADVANCED=y

#

# TCP congestion control

#

CONFIG_TCP_CONG_BIC=y

CONFIG_TCP_CONG_WESTWOOD=m

CONFIG_TCP_CONG_HTCP=m

CONFIG_TCP_CONG_HSTCP=m

CONFIG_TCP_CONG_HYBLA=m

CONFIG_TCP_CONG_VEGAS=m

CONFIG_TCP_CONG_SCALABLE=m

#

# IP: Virtual Server Configuration

#

# CONFIG_IP_VS is not set

CONFIG_IPV6=y

# CONFIG_IPV6_PRIVACY is not set

# CONFIG_INET6_AH is not set

# CONFIG_INET6_ESP is not set

# CONFIG_INET6_IPCOMP is not set

# CONFIG_INET6_TUNNEL is not set

# CONFIG_IPV6_TUNNEL is not set

CONFIG_NETFILTER=y

CONFIG_NETFILTER_DEBUG=y

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

CONFIG_IP_NF_CT_PROTO_SCTP=m

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_IRC=m

CONFIG_IP_NF_TFTP=m

CONFIG_IP_NF_AMANDA=m

CONFIG_IP_NF_QUEUE=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_LIMIT=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_PKTTYPE=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_DSCP=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_TCPMSS=m

CONFIG_IP_NF_MATCH_HELPER=m

CONFIG_IP_NF_MATCH_STATE=m

CONFIG_IP_NF_MATCH_CONNTRACK=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_REALM=m

CONFIG_IP_NF_MATCH_SCTP=m

CONFIG_IP_NF_MATCH_COMMENT=m

CONFIG_IP_NF_MATCH_CONNMARK=m

CONFIG_IP_NF_MATCH_HASHLIMIT=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_IP_NF_TARGET_TCPMSS=m

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

CONFIG_IP_NF_NAT_SNMP_BASIC=m

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_NAT_AMANDA=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_MARK=m

CONFIG_IP_NF_TARGET_CLASSIFY=m

CONFIG_IP_NF_TARGET_CONNMARK=m

CONFIG_IP_NF_TARGET_CLUSTERIP=m

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_TARGET_NOTRACK=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

#

# IPv6: Netfilter Configuration (EXPERIMENTAL)

#

CONFIG_IP6_NF_QUEUE=m

CONFIG_IP6_NF_IPTABLES=m

CONFIG_IP6_NF_MATCH_LIMIT=m

CONFIG_IP6_NF_MATCH_MAC=m

CONFIG_IP6_NF_MATCH_RT=m

CONFIG_IP6_NF_MATCH_OPTS=m

CONFIG_IP6_NF_MATCH_FRAG=m

CONFIG_IP6_NF_MATCH_HL=m

CONFIG_IP6_NF_MATCH_MULTIPORT=m

CONFIG_IP6_NF_MATCH_OWNER=m

CONFIG_IP6_NF_MATCH_MARK=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=m

CONFIG_IP6_NF_MATCH_AHESP=m

CONFIG_IP6_NF_MATCH_LENGTH=m

CONFIG_IP6_NF_MATCH_EUI64=m

CONFIG_IP6_NF_FILTER=m

CONFIG_IP6_NF_TARGET_LOG=m

CONFIG_IP6_NF_MANGLE=m

CONFIG_IP6_NF_TARGET_MARK=m

CONFIG_IP6_NF_RAW=m

#

# SCTP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_SCTP is not set

# CONFIG_ATM is not set

# CONFIG_BRIDGE is not set

# CONFIG_VLAN_8021Q is not set

# CONFIG_DECNET is not set

CONFIG_LLC=m

# CONFIG_LLC2 is not set

CONFIG_IPX=m

CONFIG_IPX_INTERN=y

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_NET_DIVERT is not set

# CONFIG_ECONET is not set

CONFIG_WAN_ROUTER=m

# CONFIG_NET_SCHED is not set

# CONFIG_NET_SCH_CLK_JIFFIES is not set

# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set

# CONFIG_NET_SCH_CLK_CPU is not set

CONFIG_NET_CLS_ROUTE=y

```

2) reemerged iptable And no results. Errors in iptables script? Something else... I don't know what can I do anymore? Any others options must br checked on in kernel config?

-- 

LeHardiLast edited by LeHardi on Wed Oct 19, 2005 12:06 am; edited 1 time in total

----------

## geeojr

 *LeHardi wrote:*   

> I got these error  (iptables: No chain/target/match by that name) trying apply guarddog changes.

 

You compiled netfilter as modules. Have you checked that the appropriate modules are loaded? What is the output of 

```
# lsmod
```

----------

## LeHardi

 *geeojr wrote:*   

>  *LeHardi wrote:*   I got these error  (iptables: No chain/target/match by that name) trying apply guarddog changes. 
> 
> You compiled netfilter as modules. Have you checked that the appropriate modules are loaded? What is the output of 
> 
> ```
> ...

 

It is:

```

Rincewind bin # lsmod

Module                  Size  Used by

ip_nat_irc              3008  0

ip_nat_ftp              4032  0

iptable_mangle          3200  1

ipt_LOG                 7424  0

ipt_MASQUERADE          4160  1

iptable_nat            23996  4 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE

ipt_TOS                 2880  0

ipt_REJECT              5248  0

ip_conntrack_irc       72112  1 ip_nat_irc

ip_conntrack_ftp       72816  1 ip_nat_ftp

ipt_state               2368  0

ip_conntrack           45276  7 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state

iptable_filter          3328  0

ip_tables              21696  8 iptable_mangle,ipt_LOG,ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,iptable_filter

nvidia               4052860  0

eagle_usb             125312  0

```

-- 

LeHardi

----------

## LeHardi

And there is set of my iptables rules. Script was generated from [http://easyfwgen.morizot.net/gen/

Maybe it can help...

code]

!/bin/sh

SYSCTL="/sbin/sysctl -w"

IPT="/sbin/iptables"

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

INET_IFACE="ppp0"

LOCAL_IFACE="eth0"

LOCAL_IP="192.168.0.1"

LOCAL_NET="192.168.0.0/24"

LOCAL_BCAST="192.168.0.255"

LO_IFACE="lo"

LO_IP="127.0.0.1"

if [ "$1" = "save" ]

then

echo -n "Saving firewall to /etc/sysconfig/iptables ... "

$IPTS > /etc/sysconfig/iptables

echo "done"

exit 0

elif [ "$1" = "restore" ]

then

echo -n "Restoring firewall from /etc/sysconfig/iptables ... "

$IPTR < /etc/sysconfig/iptables

echo "done"

exit 0

fi

echo "Loading kernel modules ..."

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/ip_forward

else

$SYSCTL net.ipv4.ip_forward="1"

fi

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

else

$SYSCTL net.ipv4.tcp_syncookies="1"

fi

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

else

$SYSCTL net.ipv4.conf.all.rp_filter="1"

fi

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

else

$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"

fi

if [ "$SYSCTL" = "" ]

then

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

else

$SYSCTL net.ipv4.conf.all.accept_source_route="0"

fi

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

else

$SYSCTL net.ipv4.conf.all.secure_redirects="1"

fi

if [ "$SYSCTL" = "" ]

then

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

else

$SYSCTL net.ipv4.conf.all.log_martians="1"

fi

echo "Flushing Tables ..."

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

if [ "$1" = "stop" ]

then

echo "Firewall completely flushed! Now running with no firewall."

exit 0

fi

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

echo "Create and populate custom rule chains ..."

$IPT -N bad_packets

$IPT -N bad_tcp_packets

$IPT -N icmp_packets

$IPT -N udp_inbound

$IPT -N udp_outbound

$IPT -N tcp_inbound

$IPT -N tcp_outbound

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \

--log-prefix "Illegal source: "

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \

--log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

$IPT -A bad_packets -p tcp -j bad_tcp_packets

$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \

--log-prefix "New not syn: "

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \

--log-prefix "Stealth scan: "

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -A bad_tcp_packets -p tcp -j RETURN

$IPT -A icmp_packets --fragment -p ICMP -j LOG \

--log-prefix "ICMP Fragment: "

$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \

-j ACCEPT

$IPT -A udp_inbound -p UDP -j RETURN

$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -j RETURN

$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# INPUT Chain

echo "Process INPUT chain ..."

$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

$IPT -A INPUT -p ALL -j bad_packets

$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT

$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \

-j ACCEPT

$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \

-j ACCEPT

$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound

$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound

$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \

--log-prefix "INPUT packet died: "

echo "Process FORWARD chain ..."

$IPT -A FORWARD -p ALL -j bad_packets

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \

-j ACCEPT

$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \

--log-prefix "FORWARD packet died: "

echo "Process OUTPUT chain ..."

$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \

--log-prefix "OUTPUT packet died: "

echo "Load rules for nat table ..."

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

echo "Load rules for mangle table ... "

[/code]

-- 

LeHardiLast edited by LeHardi on Wed Oct 19, 2005 12:07 am; edited 1 time in total

----------

## geeojr

Post the full output from running this script. That will help us narrow down the offending line(s).

----------

## LeHardi

 *geeojr wrote:*   

> Post the full output from running this script. That will help us narrow down the offending line(s).

 

So here it is:

```

Rincewind init.d # ./iptables start

Loading kernel modules ...

net.ipv4.ip_forward = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.secure_redirects = 1

net.ipv4.conf.all.log_martians = 1

Flushing Tables ...

Create and populate custom rule chains ...

Process INPUT chain ...

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

Process FORWARD chain ...

iptables: No chain/target/match by that name

Process OUTPUT chain ...

iptables: No chain/target/match by that name

Load rules for nat table ...

Load rules for mangle table ...

```

-- 

LeHardi

----------

## geeojr

The trick at this point is to figure out which $IPT line is the problem. I don't see any obvious patterns. Here are my ideas, the last one is the best. Try it first.

1. Try uncommenting all of the "# /sbin/modprobe <modules>" lines at the top of the script. Maybe one isn't being autoloaded.

2. I ran this script on a machine I have iptables compiled into the kernel and it ran without problems. If you have the option to re-compile with iptables compiled into the kernel, that might help too. BTW, which kernel are you running??

3. Edit your script; let's make it so that we can see which line causes the error. Find the line which reads

```
IPT="/sbin/iptables"
```

change it to read

```
IPT="iptables"

function iptables() {

  echo "${@}"

  /sbin/iptables "${@}"

}
```

This will output each command as it is run. The lines which are causing the errors will display before each error. Then we can fix that problem.

----------

## LeHardi

 *geeojr wrote:*   

> 
> 
> 3. Edit your script; let's make it so that we can see which line causes the error. Find the line which reads
> 
> ```
> ...

 

Step 3. It shows that 2 modules aren't loaded: multiport and ipt_unclean.

```

Loading kernel modules ...

FATAL: Module multiport not found.

FATAL: Module ipt_unclean not found.

```

Uncomenting lines from iptables doesn't show anything. My kernel is 2.6.13-r3. So have I missed some options in kernel config. I checked all iptables and routing options on, I think. So what's missing?

-- 

Lehardi

----------

## geeojr

 *LeHardi wrote:*   

> 
> 
> ```
> 
> Loading kernel modules ...
> ...

 

Could you post the full output of the script to give a better perspective?

----------

## LeHardi

 *geeojr wrote:*   

>  *LeHardi wrote:*   
> 
> ```
> 
> Loading kernel modules ...
> ...

 

OK There is a full output:

```

Rincewind init.d # ./iptables

Loading kernel modules ...

FATAL: Module multiport not found.

FATAL: Module ipt_unclean not found.

net.ipv4.ip_forward = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.secure_redirects = 1

net.ipv4.conf.all.log_martians = 1

Flushing Tables ...

Create and populate custom rule chains ...

Process INPUT chain ...

iptables: No chain/target/match by that name

Process FORWARD chain ...

Process OUTPUT chain ...

Load rules for nat table ...

Load rules for mangle table ...

```

-- 

LeHardi

----------

## geeojr

```
IPT="iptables"

function iptables() {

  echo "${@}"

  /sbin/iptables "${@}"

}
```

Is this still in your script?? you should have very verbose output with this change. This is what I'd like to see the output of.

----------

## LeHardi

 *geeojr wrote:*   

> 
> 
> ```
> IPT="iptables"
> 
> ...

 

Yes it is. I copied and pasted it to avoid making any mistakes (especially syntax nature). But, in this case, it caused appearing not very verbose output, but 2 additional error messages about loading modules only. Maybe it's weird but it is.

EDITED: unfortunately modules don't cause this situation: I commented ipt_unclean - this option is probably removed from last 2.6.x series (as I read in docs). Next I changed multiport to ipt_multiport - these two changes made that errors about loading modules disapeared. But it's dead end and changes nothing about  my problem.

-- 

LeHardi

----------

## LeHardi

I've found rule that causes this error. It's

```

# Drop without logging broadcasts that get this far.

# Cuts down on log clutter.

# Comment this line if testing new rules that impact

# broadcast protocols.

$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

```

What is this rule for? Does it play important role in iptables? What's wrong with it and what way it may be corrected?

-- 

LeHardi

----------

## LeHardi

 *LeHardi wrote:*   

> NPUT -m pkttype --pkt-type broadcast -j DROP
> 
> [/code]
> 
> What is this rule for? Does it play important role in iptables? What's wrong with it and what way it may be corrected?
> ...

 

I added line in iptables script to load ipt-pkttype module and error disapeared. Unfortunately iptables still doesn't work, when it is turned on it breaks all Internet connections. Is there any very simple set of filtering rules to check if iptables work OK? Any suggestions?

Applying rules with the guarddog doesn't change this situation and iptables stops all Internet traffic too.

-- 

LeHardi

----------

