# iptables: Protocol wrong type for socket. [SOLVED]

## pigreco

In my fresly gentoo kernel 3.1.5 harderned installation grsecurity+pax I have this problem:

```
etaromsei ~ # iptables -A INPUT -p tcp -m state --state INVALID -j DROP 

iptables: Protocol wrong type for socket.

etaromsei ~ # iptables -A INPUT -p tcp -m state --state INVALID -j LOG --log-prefix " Invalida: " 

iptables: Protocol wrong type for socket.

etaromsei ~ # iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP 

iptables: Protocol wrong type for socket.

etaromsei ~ # iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "Nuova non syn:" 

iptables: Protocol wrong type for socket.

etarometaromsei ~ # iptables -A INPUT -m state --state INVALID -j DROP 

iptables: Protocol wrong type for socket.

etaromsei ~ # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

iptables: Protocol wrong type for socket.

```

i don't understand where is the problem, all kernel module for ip-filter are built-in

any suggestions, regards,

MaurizioLast edited by pigreco on Thu Feb 02, 2012 1:50 pm; edited 1 time in total

----------

## wcg

What happens if you leave "-p tcp" out of the first iptables command

in your error report? Do you still get the error? (You can run iptables

as an interactive shell command from a text-mode console to test.)

That error message is what "strerror(EPROTOTYPE)" returns.

EPROTOTYPE is an errno value set by some system calls related to

sockets in case of particular kinds of error.

In this case the error is probably coming from a function call that takes

as an argument the open file descriptor number of an internal netlink

socket used by iptables. (Whether the error reflects an iptables bug

or a kernel bug is a question that an strace might answer for upstream

iptables maiintainers. A mismatch between some header value in the

compiled kernel and your installed linux-headers version could preduce

this result, too.)

----------

## Hu

Also, please post the output of emerge --info net-firewall/iptables.

----------

## pigreco

iptables is down now, I'm working to mail service set up, I don't still rewrite a new firewall.

here my emerge --info:

```
emerge --info net-firewall/iptables

Portage 2.1.10.41 (hardened/linux/x86, gcc-4.5.3, glibc-2.13-r4, 3.1.5-hardened i686)

=================================================================

                        System Settings

=================================================================

System uname: Linux-3.1.5-hardened-i686-Intel-R-_Xeon-TM-_CPU_3.40GHz-with-gentoo-2.0.3

Timestamp of tree: Tue, 10 Jan 2012 18:45:01 +0000

app-shells/bash:          4.1_p9

dev-java/java-config:     2.1.11-r3

dev-lang/python:          2.7.2-r3, 3.1.4-r3

dev-util/cmake:           2.8.6-r4

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.0.3

sys-apps/openrc:          0.9.4

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.13, 2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.21.1-r1

sys-devel/gcc:            4.5.3-r1

sys-devel/gcc-config:     1.4.1-r1

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)

sys-libs/glibc:           2.13-r4

Repositories: gentoo

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=i686 -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=i686 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://gentoo.lagis.at/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ http://mirrors.cs.wmich.edu/gentoo http://mirror.datapipe.net/gentoo"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="it de fi en"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync1.at.gentoo.org/gentoo-portage"

USE="acl apache2 auth authdaemond authn authn_file berkdb bzip2 cli cracklib crypt cups cxx dri dynamicplugin gd gdbm gocr gpm hardened iconv imap inline java jpeg jpeg2k libwww maildir modules mpeg mudflap mysql ncurses nls nptl nptlonly openmp pam pax_kernel pcre perl pic png pnm pppd readline sasl session snortsam spell ssl sysfs tcpd tiff truetype urandom vda x86 xml xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy access auth_digest alias file-cache echo charset-lite cache disk-cache mem-cache ext-filter case_filter case-filter-in filter deflate mime-magic cern-meta expires headers usertrack unique-id proxy proxy-connect proxy-ftp proxy-http info include cgi cgid dav dav-fs vhost-alias speling rewrite log_config logio env setenvif mime status autoindex asis negotiation dir imap actions userdir so authz_host mod_php mod_bandwidth mod_layout mod_ldap_userdir mod_loopback mod_mp3 mod_random mod_throttle mod_watch" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it de fi en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================

                        Package Settings

=================================================================

net-firewall/iptables-1.4.12.1 was built with the following:

USE="-ipv6 -netlink"

```

 *Quote:*   

> (You can run iptables 
> 
> as an interactive shell command from a text-mode console to test.) 

 

I have try in the past but I don't understand how.............

----------

## wcg

Say I am at a shell prompt on a virtual console login or in a text-mode

terminal window like an xterm. "#" in the example below is a shell prompt,

what the terminal displays to tell me that it is ready to accept another

command. 

```

# iptables -A INPUT -m state --state INVALID -j DROP

```

Is any message displayed when you enter this command?

(The user interface to iptables is that of a command line program,

like cat, diff, grep, ls, and so on. An iptables firewall is built by running

this command line program multiple times in sequence with different

command line options to create a structure of netfilter rules for network

packet handling inside the kernel. Usually these multiple invocations

of iptables are aggregrated in a shell script for convenience, but you

can also run them interactively from a login shell to test changes

and so on.)

----------

## pigreco

I'm sorry to be late:

```
iptables -A INPUT -p tcp -m state --state INVALID -j DROP

iptables: Protocol wrong type for socket.

```

and this is my kernel config for 'state' packet filter

```
  │ Symbol: NETFILTER_XT_MATCH_STATE [=y]                                                                                                                                                                                                      │   

  │ Type  : tristate                                                                                                                                                                                                                           │   

  │ Prompt: "state" match support                                                                                                                                                                                                              │   

  │   Defined at net/netfilter/Kconfig:1022                                                                                                                                                                                                    │   

  │   Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NETFILTER_XTABLES [=y] && NF_CONNTRACK [=y]                                                                                                                                       │   

  │   Location:                                                                                                                                                                                                                                │   

  │     -> Networking support (NET [=y])                                                                                                                                                                                                       │   

  │       -> Networking options                                                                                                                                                                                                                │   

  │         -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                                                                                                                                                                 │   

  │           -> Core Netfilter Configuration                                                                                                                                                                                                  │   

  │             -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y])
```

it's built-in, or I'm wrong?

----------

## pigreco

it was a problem of kernel, resolved applying the configuration of an identical server but they are not successful to understand which it was the problem.

Thanks for help me,

Maurizio

----------

## wcg

The question would be how does the kernel configuration that worked

differ from the kernel configuration that did not work? (Compare

the /usr/src/linux-[version]/.config files to see what is different.)

(That error message could be one of those where the code did not have

a standard error message that exactly described the problem, so the

programmer used what seemed like the closest thing to describe it.

Like, if you see a house on fire, and it is out in the country, not in

a town, and you do not know the address and maybe not even

the road, but you know a certain village is nearby, so you call the

fire department and report a fire "near this village" and hope that

they can see the smoke when they get close.)

----------

