# What's wrong with my iptables script? [SOLVED]

## MdaG

When I boot up my machine I get this message when it tried to run the firewall script. It's also making the net unavailable to me. I have to remove the script from runtime to get access again.

```
.

.

iptable: No chain/target/match by that name.

iptable: No chain/target/match by that name.

iptable: No chain/target/match by that name.

iptable: No chain/target/match by that name.

.

.
```

This is my script:

```
#!/bin/sh

#IPTABLES=/sbin/iptables is where iptables files are normally placed.

IPTABLES=/sbin/iptables

case "$1" in

start|reload|restart)

#flush existing rules

${IPTABLES} -F INPUT

# Allow echo requests from my hood

${IPTABLES} -A INPUT -i eth0 -d xx.xx.xxx.xx -p icmp --icmp-type echo-request -j ACCEPT

#Allow replies to all data that has been sent out meant for this machine

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

#Allow incoming SSH requests

#${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT

#Allow incoming Samba connetions

#${IPTABLES} -A INPUT -p tcp --dport netbios-ssn -j ACCEPT

#${IPTABLES} -A INPUT -p tcp --dport microsoft-ds -j ACCEPT

#${IPTABLES} -A INPUT -p tcp --dport swats -j ACCEPT

#${IPTABLES} -A INPUT -p udp --dport netbios-ns -j ACCEPT

#${IPTABLES} -A INPUT -p udp --dport netbios-dgm -j ACCEPT

#Allow incoming ipp for network printing -- We don't have a printer.

#${IPTABLES} -A INPUT -p tcp --dport ipp -j ACCEPT

#${IPTABLES} -A INPUT -p udp --dport ipp -j ACCEPT

#Allow incoming https/www for web.

${IPTABLES} -A INPUT -p tcp --dport https -j ACCEPT

${IPTABLES} -A INPUT -p tcp --dport www -j ACCEPT

${IPTABLES} -A INPUT -p tcp --dport 8080 -j ACCEPT

#Allow incoming smtp connections.

${IPTABLES} -A INPUT -p tcp --dport smtp -j ACCEPT

#Allow incoming spamd connections:

#${IPTABLES} -A INPUT -p tcp --dport spamd -j ACCEPT

#Drop and log all other data: set log so if >5 packets/sec are dropped

# they will be ignored. This helps to prevent a DOS attack crashing the computer

${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "

${IPTABLES} -A INPUT -i ! lo -j DROP

;;

stop)

#flush existing rules

${IPTABLES} -F INPUT

;;

status)

${IPTABLES} -L -v -n ;; *)

echo "Usage: $0 {start|restart|reload|stop|status}"

exit 1

esac

exit 0

```

Last edited by MdaG on Tue May 17, 2005 6:31 am; edited 2 times in total

----------

## acasto

Any kernel settings changed? Are your netfilter parts modules or in the kernel? Have you tried implementing it manually from the cli to see where it acts up at?

----------

## MdaG

 *acasto wrote:*   

> Any kernel settings changed? Are your netfilter parts modules or in the kernel? Have you tried implementing it manually from the cli to see where it acts up at?

 

The kernel settings are modules. I've not tried implementing it manually. How do I do that?

----------

## acasto

If the modules aren't loaded before the script is ran then you will get those errors. Anyway, to run it manually, I'd just take each rule form the script, and run it on the command line one by one to see if they go through or not to begin with, or which ones it is. Then you can use "iptables -L -n" to see the iptables rules that are running.

----------

## MdaG

Ah ok. Well it seems to be these four lines that won't match. Which explains why I won't get a connection at all...

```

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp

${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

.

.

.

${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "
```

Have I missed some option in the kernel config?

----------

## acasto

 *MdaG wrote:*   

> Ah ok. Well it seems to be these four lines that won't match. Which explains why I won't get a connection at all...
> 
> ```
> 
> ${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
> ...

 

I had the same problem with almost the same type of rules. Mine was because I didn't have contrak setup in the kernel, which is what handles the ESTABLISHED part of that rule. Is the module loaded? I usually build the netfilter parts that is used in my firewall right into the kernel, that way the basic firewall is not dependent on any modules to load.

----------

## MdaG

I have connection tracking built as a module...

----------

## acasto

Do you have "Connection state match support" in there?

----------

## MdaG

 *acasto wrote:*   

> Do you have "Connection state match support" in there?

 

Nope, should I enable it? (as module?)

----------

## acasto

 *MdaG wrote:*   

>  *acasto wrote:*   Do you have "Connection state match support" in there? 
> 
> Nope, should I enable it? (as module?)

 

Yeah, try putting in there as a module. And make "Helper match support" a module as well if you don't already have it.

----------

## MdaG

Tried it without helper match support and it didn't work either  :Sad: 

----------

## acasto

 *MdaG wrote:*   

> Tried it without helper match support and it didn't work either 

 

Are these shown when you run lsmod?

```

ipt_state               

iptable_nat            

ip_conntrack       

```

----------

## MdaG

nope  :Question: 

My script is disabled right now otherwise I wouldn't be able to post here  :Smile: 

----------

## acasto

Can you modprobe them in? Perhaps they aren't loading upon booting. They won't affect you connection just being in there. I'm just wondering about their loading because if they do like they should, even when you shut down your script, the modules should remain in there. If you test your script while your systems up and it dosn't work, just run a "iptables -F" to flush it. And if you need to change your input policy from the command line, jus trun "iptables -P INPUT ACCEPT"

----------

## MdaG

I can modprobe all except ipt_state

```
# modprobe ipt_state

FATAL: Module ipt_state not found.
```

----------

## acasto

Does it exist in /lib/modules/<your kernel version>/kernel/net/ipv4/netfilter/ipt_state.ko ?

----------

## MdaG

 *acasto wrote:*   

> Does it exist in /lib/modules/<your kernel version>/kernel/net/ipv4/netfilter/ipt_state.ko ?

 

Nope. I guess I must have missed compiling it with the rest of the modules...?

I can't find the right option for it though.

*edit*

How do I make ipt_state available and why do I need it?

----------

## MdaG

Öhm "l33t" aka "n00b" still needs help  :Wink: 

Seriously, I still haven't solved this  :Sad: 

----------

## acasto

I didn't know if putting in that module last time worked or not. Did you compile the module and insert it? Also, with all the correct modules in, is it giving you the same errors from the start?

----------

## MdaG

 *acasto wrote:*   

> I didn't know if putting in that module last time worked or not. Did you compile the module and insert it? Also, with all the correct modules in, is it giving you the same errors from the start?

 

Yeah I still get the same error message. One thing though. The modules iptable_nat and ip_conntrack aren't in the list after I reboot even if I do a modules-update. I'm not sure I have all the necessary parts built in my kernel. I just followed this guide basically.

----------

## acasto

 *MdaG wrote:*   

> Yeah I still get the same error message. One thing though. The modules iptable_nat and ip_conntrack aren't in the list after I reboot even if I do a modules-update. I'm not sure I have all the necessary parts built in my kernel. I just followed this guide basically.

 

To see if the modules are built, check in /lib/modules/2.6.11.5-cko2/kernel/net/ipv4/netfilter/ 

If they aren't in there, then they'll need to be built and installed from the kernel source. If they are in there though, just modprobe them in and test your firewall again to see if it works. If so, to get them in during boot, just enter them in /etc/modules.autoload.d/kernel-2.6

----------

## MdaG

iptable_nat and ip_conntrack are there but ipt_state is not. What option should I check in menuconfig to build that module?

----------

## acasto

It's under the netfilter configuration menu and is titled "Connection state match support", the name of the setting in .config is CONFIG_IP_NF_MATCH_STATE

----------

## MdaG

That's strange I already have that compiled as a module  :Confused: 

Still ipt_state isn't available.

----------

## acasto

Is it still in the kernel source tree? Can you try:

```

find /usr/src/<your kernel source> -iname ipt_state.ko

```

If it's in there just copy it to /lib/modules/2.6.11.5-cko2/kernel/net/ipv4/netfilter/

----------

## frostschutz

 *MdaG wrote:*   

> 
> 
> ```
> iptable: No chain/target/match by that name.
> ```
> ...

 

This is one hell of a stupid error message... replace #!/bin/sh with #!/bin/bash -x to see which commands exactly are the ones that fail. Otherwise you'll have to do a lot of guesswork which chain/target/match your iptables/kernel might be missing.

----------

## MdaG

No it's not there...

I just want to say that I really appreciate you going out of your way to help someone you don't know  :Very Happy: 

If I could I'd put a gold star next to you avatar for everyone to see  :Cool: 

----------

## acasto

 *MdaG wrote:*   

> I just want to say that I really appreciate you going out of your way to help someone you don't know 
> 
> If I could I'd put a gold star next to you avatar for everyone to see 

 

No problem, I've learned so much about Gentoo from these forums. That's what makes this such a great distro, is how everybody helps everybody else.

Okay, you said that was checked in your menuconfig settings. After setting them you ran 'make modules' right? You could try running a 'make clean' then 'make modules' and 'make modules_install' after that. If you are using any 3rd party binary modules like an Nvidia driver, you may want to skip the 'make modules_install' part and just copy that one module by hand.

I'm pretty sure that's what's keeping it from loading because I think that was what was messing mine up when I got that same message. Plus, that module I believe is what takes care of that part of your script. It tracks the state of the connections to determine the already established ones.

----------

## MdaG

It seems like it's this line it's complaining about now. The rest seem to have passed.

```
${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "

```

----------

## acasto

 *MdaG wrote:*   

> It seems like it's this line it's complaining about now. The rest seem to have passed.
> 
> ```
> ${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "
> 
> ...

 

That looks right. I have an almost exact command in one of my scripts, just not with the "-i ! lo" part and my log prefix is in single quotes instead of double quotes. Have you tried using single quotes - '[iptables]' - I don't know if it would make much of a difference, but easy to try and see.

The other thing would be in the kernel again. Is the "limit match support" compiled? The option in .config is "CONFIG_IP_NF_MATCH_LIMIT" 

I hate it that this is causing so much trouble for you. I wish I had an answer that would take care of it all. One thing I can tell you though from having compiling many kernels for servers with firewalls, is sometimes it's good practice to go ahead and just compile in or as modules, most of the netfilter options. In mine, I've only left out certain protocols I that I know I don't use, but most rules are in. That way I won't run into something later if I change my configuration and have to recompile the kernel. 

Anyways, hope this works.

----------

## splooge

after doing 'make bzImage' did you do a 'make modules_install' ?  That's what copies the modules to /lib/modules....

----------

## MdaG

I got it working now. But I keep getting kicked out and have to log in again every 10 sec. Highly annoying. It's probably cause I have to allow echo requests from my neighbourhood, but I've included:

```
${IPTABLES} -A INPUT -i eth0 -d xx.xx.xxx.xx -p icmp --icmp-type echo-request -j ACCEPT 
```

Isn't that enough?

Also how do I know the firewall is working? I've tried it against GRC, but I was 100% safe before I initialized the iptable script...  :Confused: 

----------

## acasto

 *MdaG wrote:*   

> I got it working now. But I keep getting kicked out and have to log in again every 10 sec. Highly annoying. It's probably cause I have to allow echo requests from my neighbourhood, but I've included:
> 
> ```
> ${IPTABLES} -A INPUT -i eth0 -d xx.xx.xxx.xx -p icmp --icmp-type echo-request -j ACCEPT 
> ```
> ...

 

What are you getting kicked out of ? SSH ? ICMP shouldn't have anything to do with it, but then again I'm not too sure. I looked through my rules created my shorewall and with every 'ESTABLISHED' I also see a 'RELATED' state rule, so you may want to look into that to see if it has any bearing.

 *MdaG wrote:*   

> Also how do I know the firewall is working? I've tried it against GRC, but I was 100% safe before I initialized the iptable script... 

 

You can check your rules with "iptables -L -n", but beyond that you'll just have to test it by trying it.

I'm glad it's working though  :Smile: 

----------

## frostschutz

You should not block ICMP at all unless you know exactly what you are doing.

----------

## MdaG

Thanks a lot for all the help I've gotten guys!  :Very Happy: 

The "allow echo requests" is required if I'm to access the internet from my student apartment. But the instructions given are all relative to a Windows OS. I've e-mailed the support and asked about how to implement that using iptables.

*edit*

I changed the -d to -s and now it works.

----------

