# Trouble with iptables owner match??

## hanj

Hello

I'm configuring iptables to use owner match to restrict outbound traffic to certain ports/IPs based on owner. I've done this plenty of times on hardened-source kernels, but I'm encountering a weird problem with this particular gentoo install using gentoo-sources?

With this particular command (or any -m owner --uid-owner *):

```
iptables -A OUTPUT -p tcp --dport 873 -m owner --uid-owner 0 -j ACCEPT
```

I'm receiving the following:

```
iptables: No chain/target/match by that name.
```

I have the following configured in the kernel (and rebooted several times)

```
 <*>   "owner" match support
```

I can also verify that it's built

```
ls /lib/xtables/ | grep owner

libxt_owner.so
```

I can also verify that the chain exists:

```
iptables -L -n | grep OUTPUT

Chain OUTPUT (policy DROP)
```

So, I'm a little confused. It's complaining that either chain, target or match is missing. I verified that chain exists. I verified that match is built, and I know that owner 0 exists? Any ideas?

Thanks!

hanji

----------

## Sadako

Running hardened-sources 2.6.29 here myself, and that iptables command works perfectly for me, as the --uid-owner match always has.

What kernel and iptables versions?

Try simply "iptables -A OUTPUT -m owner --uid-owner 0" to confirm the problem is actually with the owner match.

Will it work with a UID other than 0, or if you specify a user by name, or try just "--socket-exists" rather than --owner (just for testing purposes)?

----------

## hanj

Hopeless.. thanks for the reply!

Yeah, running it on hardened-sources is not a problem for me as well. This is on the latest gentoo-sources.

```

iptables -A OUTPUT -m owner --uid-owner 0

iptables: No chain/target/match by that name.

iptables -A OUTPUT -m owner --uid-owner 81

iptables: No chain/target/match by that name.

iptables -A OUTPUT -m owner --socket-exists

or

iptables -A OUTPUT -m owner --uid-owner 0 --socket-exists

iptables v1.4.3.2: unknown option `--socket-exists'

Try `iptables -h' or 'iptables --help' for more information.
```

Here is my emerge --info output:

```
Portage 2.1.6.13 (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.30-gentoo-r5 i686)

=================================================================

System uname: Linux-2.6.30-gentoo-r5-i686-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5200+-with-gentoo-1.12.11.1

Timestamp of tree: Sun, 06 Sep 2009 07:30:01 +0000

app-shells/bash:     3.2_p39

dev-lang/python:     2.6.2-r1

sys-apps/baselayout: 1.12.11.1

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.63-r1

sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2

sys-devel/binutils:  2.18-r3

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   1.5.26

virtual/os-headers:  2.6.27-r2

ACCEPT_KEYWORDS="x86"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=i686 -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-O2 -march=i686 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

LDFLAGS="-Wl,-O1"

LINGUAS="en"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl apache2 berkdb bzip2 cli cracklib crypt dri fortran gdbm gpm iconv innodb isdnlog maildir mudflap mysql ncurses nptl nptlonly openmp openssh pam pcre perl php pppd pwdb python readline reflection sasl session snmp snortsam spl ssl sysfs tcpd unicode vhosts x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

Thanks!

hanji

----------

## Sadako

I believe iptables 1.4.4 was released specifically for better support of and compatibility with 2.6.30 kernels, so try upgrading to that version and test again.

----------

## hanj

 *Hopeless wrote:*   

> I believe iptables 1.4.4 was released specifically for better support of and compatibility with 2.6.30 kernels, so try upgrading to that version and test again.

 

I upgraded to 1.4.4 and the problem persists. I think I'll just change the kernel to hardened-sources and see if that fixes it. I prefer hardened anyway.

Thanks!

hanji

----------

## Sadako

 *hanj wrote:*   

>  *Hopeless wrote:*   I believe iptables 1.4.4 was released specifically for better support of and compatibility with 2.6.30 kernels, so try upgrading to that version and test again. 
> 
> I upgraded to 1.4.4 and the problem persists. I think I'll just change the kernel to hardened-sources and see if that fixes it. I prefer hardened anyway.
> 
> Thanks!
> ...

 If you're changing kernels anyway, I'd suggest trying a gentoo-sources 2.6.29 kernel first, just to see if the problem is there.

If it's not, then you may get hit with the same issue when (or if) hardened-sources 2.6.30 gets released.

----------

## hanj

 *Hopeless wrote:*   

> If you're changing kernels anyway, I'd suggest trying a gentoo-sources 2.6.29 kernel first, just to see if the problem is there.
> 
> If it's not, then you may get hit with the same issue when (or if) hardened-sources 2.6.30 gets released.

 

Good point. I'll do that on Monday.

Thanks for the help!

hanji

----------

