# iptables error

## dwC24

Hi everyone,

I am totally new to Gentoo so bare with me here. 

I installed iptables included as a kernel module and I am receiving the following error:

```
dwc2 ~ # /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: Unknown error 4294967295

```

Ultimately I am trying to use shorewall here but this error is being reported by iptables. I am not sure what I am missing but I am sure I have all of the appropriate modules loaded.

```
Module                  Size  Used by

ipt_pkttype              928  0 

ipt_CLASSIFY            1344  0 

ipt_owner               1280  0 

ipt_recent              7596  0 

ipt_iprange             1024  0 

ipt_multiport           1536  0 

iptable_mangle          1696  0 

ip_nat_irc              1536  0 

ip_nat_tftp              992  0 

ip_nat_ftp              1952  0 

iptable_nat             5220  0 

ip_nat                 11788  4 ip_nat_

ip_conntrack_irc        4272  1 ip_nat_

ip_conntrack_tftp       2552  1 ip_nat_

ip_conntrack_ftp        4976  1 ip_nat_

ip_conntrack           30328  8 ip_nat_                                             ,ip_conntrack_irc,ip_conntrack_tftp,ip_

iptable_filter          1696  1 

usbcore                83748  1 

iptable_raw             1184  0 

ip_tables              17184  10 ipt_pk                                             prange,ipt_multiport,iptable_mangle,ipt

s2io                   50960  0 

via_rhine              17796  0 

8139too                20096  0 

mii                     3008  2 via_rhi

```

```
dwc2 ~ # uname -a

Linux dwc2.scanbc.com 2.6.15-gentoo-r1 #4 SMP PREEMPT Tue Feb 7 23:21:31 PST 2006 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux

```

```
dwc2 ~ # zgrep -i netfilter /proc/config.gz

CONFIG_NETFILTER=y

dwc2 ~ # zgrep -i ipt /proc/config.gz

CONFIG_IP_NF_IPTABLES=m

```

I followed the directions as per this howto http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

Whats my next step here? 

Thanks,

dwCLast edited by dwC24 on Wed Feb 08, 2006 10:31 am; edited 1 time in total

----------

## dwC24

With Iptables 1.3.4 I get this error:

```
dwc2 etc # iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

iptables: No chain/target/match by that name

dwc2 etc # 

```

With iptables 1.3.5 I get this error:

```
dwc2 etc # iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

iptables: Unknown error 4294967295

dwc2 etc # 

```

dwC

----------

## magic919

Could you run

grep _NF_ /usr/src/linux/.config

To show all kernel options for this.   And paste here.

----------

## dwC24

Here we go;

```
dwc2 ~ # grep _NF_ /usr/src/linux/.config

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_IRC=m

# CONFIG_IP_NF_NETBIOS_NS is not set

CONFIG_IP_NF_TFTP=m

CONFIG_IP_NF_AMANDA=m

CONFIG_IP_NF_PPTP=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_LIMIT=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_PKTTYPE=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_DSCP=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_TCPMSS=m

# CONFIG_IP_NF_MATCH_HELPER is not set

# CONFIG_IP_NF_MATCH_STATE is not set

# CONFIG_IP_NF_MATCH_CONNTRACK is not set

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_REALM=m

CONFIG_IP_NF_MATCH_SCTP=m

CONFIG_IP_NF_MATCH_DCCP=m

CONFIG_IP_NF_MATCH_COMMENT=m

# CONFIG_IP_NF_MATCH_CONNMARK is not set

# CONFIG_IP_NF_MATCH_CONNBYTES is not set

CONFIG_IP_NF_MATCH_HASHLIMIT=m

CONFIG_IP_NF_MATCH_STRING=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

# CONFIG_IP_NF_TARGET_ULOG is not set

CONFIG_IP_NF_TARGET_TCPMSS=m

CONFIG_IP_NF_TARGET_NFQUEUE=m

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_NAT_AMANDA=m

CONFIG_IP_NF_NAT_PPTP=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_MARK=m

CONFIG_IP_NF_TARGET_CLASSIFY=m

CONFIG_IP_NF_TARGET_TTL=m

# CONFIG_IP_NF_TARGET_CONNMARK is not set

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_RAW=m

# CONFIG_IP_NF_TARGET_NOTRACK is not set

# CONFIG_IP_NF_ARPTABLES is not set

dwc2 ~ #

```

----------

## magic919

# CONFIG_IP_NF_MATCH_STATE is not set

----------

## freegianghu

If you are using kernel 2.6.16-rc1. Try:

```
iptables -L
```

if you get:

 *Quote:*   

> ERROR: 0 not a valid target)
> 
> Aborted

 

try using patch:

http://user.it.uu.se/~mikpe/linux/patches/2.6/patch-xt_align-fix-2.6.16-rc1

Cheers,

GH.

----------

## mauricev

I am seeing the identical problem with 2.6.16.1. Looks like a bug in iptables.

 *Quote:*   

> CONFIG_IP_NF_MATCH_STATE is not set

 

It no longer exists. The iptables authors decided to complicate iptables by adding a separate set of modules under _XT_, so that one is there now and to make things difficult by not documenting any of the changes.   :Mad: 

----------

## outspoken

you have to set CONFIG_NETFILTER_XTABLES in the kernel. many of the iptables config options have been moved here. like match, state, conntrack, etc.

----------

## mauricev

It turns out there is another module, xt_tcpudp, that doesn't have any corresponding config option. It gets built when turning on xtables, which itself is the module called x_tables ; xt_tcpudp wasn't loading. Turning on automatic module loading in the kernel fixes this or it can be loaded manually.

----------

## afabco

I'm getting a similar error:

```
green linux # /etc/init.d/shorewall restart

 * Restarting firewall ...

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

/etc/init.d/shorewall: line 26: 22032 Terminated              /sbin/shorewall restart >/dev/  [ !! ]
```

The two modules mentioned are loaded

```
green linux # lsmod|grep x_tables

x_tables               10244  14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables

```

```
green linux # lsmod|grep xt_tcpudp

xt_tcpudp               3968  0

x_tables               10244  14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables

```

There's nothing in the .config that obviously says "NF_FORWARD":

```
green linux # grep _NF_ /usr/src/linux/.config

CONFIG_IP_NF_CONNTRACK=y

# CONFIG_IP_NF_CT_ACCT is not set

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

# CONFIG_IP_NF_FTP is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_NETBIOS_NS is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

CONFIG_IP_NF_PPTP=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

# CONFIG_IP_NF_MATCH_IPRANGE is not set

# CONFIG_IP_NF_MATCH_MULTIPORT is not set

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_DSCP is not set

CONFIG_IP_NF_MATCH_AH_ESP=m

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

# CONFIG_IP_NF_MATCH_HASHLIMIT is not set

# CONFIG_IP_NF_MATCH_POLICY is not set

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

CONFIG_IP_NF_NAT_SNMP_BASIC=m

CONFIG_IP_NF_NAT_PPTP=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

# CONFIG_IP_NF_TARGET_TTL is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

```

in the loaded modules, I'd expect to see an ipt_FORWARD, but don't see one, and couldn't find one in .config:

```
lsmod|grep ip

iptable_mangle          3072  0

ipt_TOS                 2816  0

ipt_SAME                2944  0

ipt_REJECT              4864  0

ipt_REDIRECT            2688  0

ipt_NETMAP              2688  0

ipt_MASQUERADE          3456  0

ipt_LOG                 6272  0

ipt_esp                 2560  0

ipt_ECN                 3456  0

ipt_DSCP                2816  0

ipt_ah                  2560  0

iptable_nat             7300  0

ip_nat                 13868  5 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat

iptable_filter          3200  0

ip_tables              11508  3 iptable_mangle,iptable_nat,iptable_filter

x_tables               10244  14 xt_tcpudp,ipt_TOS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_esp,ipt_ECN,ipt_DSCP,ipt_ah,iptable_nat,ip_tables

tulip                  43296  0

```

What next?

Thanks!

----------

## jpnag

in /etc/sysctl.conf set

```

net.ipv4.ip_forward = 1
```

----------

## afabco

Hi

Sorry for the delay.

Made no difference.

```

# Disables packet forwarding

net.ipv4.ip_forward = 1

# Disables IP dynaddr

#net.ipv4.ip_dynaddr = 0

# Disable ECN

#net.ipv4.tcp_ecn = 0

# Enables source route verification

net.ipv4.conf.default.rp_filter = 1

# Enable reverse path

net.ipv4.conf.all.rp_filter = 1
```

I did un-rem and change the net.ipv4.ip_forward to 1.  "net.ipv4.conf.default.rp_filter = 1"  and "net.ipv4.conf.all.rp_filter = 1"

remain as they were.

sysctl in the kernel is enabled.

Here's the result:

```
green linux # /etc/init.d/shorewall restart

 * Restarting firewall ...

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

/etc/init.d/shorewall: line 26: 30833 Terminated              /sbin/shorewall restart >/dev/  [ !! ]

green linux #
```

What next?

Thanks!

----------

## homry

got the same problem here.

the new iptables-options are well hidden in the config menu  :Wink: . but even though i have everything i need in my kernel now, shorewall won't start correctly. i am using 2.6.16-r7

homry

----------

## homry

nobody else got this problem? before that i ran a 2.6.15-r1-kernel. everything was fine. anyone ran into problems with iptables after updating to a 2.6.16-kernel?

homry

----------

## basement

 *afabco wrote:*   

> 
> 
> Here's the result:
> 
> ```
> ...

 

I had this exact problem after initially folliowing Sith_Happens' shorewall guide, and adding a few things necessary. I'm using kernel 2.6.16-r7, shorewall version 3.0.4, iptables version 1.3.4. In the kernel, I had enabled Xtables support and IP tables support. I added everything under IP tables support as modules. When I then tried starting shorewall, I got the same error as you. After playing around a bit, I found one option solving my problem. In menuconfig, under Xtables support, I added "state" match support (compiled it into the kernel). That made the problem go away.

----------

## homry

 *basement wrote:*   

> 
> 
> I had this exact problem after initially folliowing Sith_Happens' shorewall guide, and adding a few things necessary. I'm using kernel 2.6.16-r7, shorewall version 3.0.4, iptables version 1.3.4. In the kernel, I had enabled Xtables support and IP tables support. I added everything under IP tables support as modules. When I then tried starting shorewall, I got the same error as you. After playing around a bit, I found one option solving my problem. In menuconfig, under Xtables support, I added "state" match support (compiled it into the kernel). That made the problem go away.

 

perfect! that helped! thanks a lot  :Smile: 

homry

----------

## afabco

That did the trick.  Thanks!

 *Quote:*   

> I added "state" match support (compiled it into the kernel)

 

----------

## F.Ultra

OMG what have the iptables team done  :Mad:   There are now way too many options and several of them seams to do the same thing, I hope there is some decent documentation coming out soon!

----------

## darcon

Can someone please post their working kernel config? I've enabled everything I can find and I still can't get it to work  :Sad: 

----------

## JanisB

```
GentooBox / # grep STATE /usr/src/linux/.config

CONFIG_NETFILTER_XT_MATCH_STATE=y

```

 So, i have enabled this stuff in kernel, but still have the same as 1st post. What's wrong?

P.S. Offtopic detected :)

----------

## loux.thefuture

Hello,

i had the same error 4294967295 when i switched to hardened sources

but know everything works,

below my config :

uname -a :

Linux barton 2.6.14-hardened-r8 #1 PREEMPT Mon Jun 19 10:16:21 CEST 2006 i686 AMD Athlon(tm) XP 2600+ GNU/Linux

cat .config :

...

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

CONFIG_IP_NF_CONNTRACK_EVENTS=y

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_IRC=m

# CONFIG_IP_NF_NETBIOS_NS is not set

CONFIG_IP_NF_TFTP=m

CONFIG_IP_NF_AMANDA=m

CONFIG_IP_NF_PPTP=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MATCH_LIMIT=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_PKTTYPE=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_DSCP=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_TCPMSS=m

CONFIG_IP_NF_MATCH_STEALTH=m

CONFIG_IP_NF_MATCH_HELPER=m

CONFIG_IP_NF_MATCH_STATE=m

CONFIG_IP_NF_MATCH_CONNTRACK=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_REALM=m

CONFIG_IP_NF_MATCH_SCTP=m

CONFIG_IP_NF_MATCH_DCCP=m

CONFIG_IP_NF_MATCH_COMMENT=m

CONFIG_IP_NF_MATCH_CONNMARK=m

CONFIG_IP_NF_MATCH_CONNBYTES=m

CONFIG_IP_NF_MATCH_HASHLIMIT=m

CONFIG_IP_NF_MATCH_STRING=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_LOG=m

# CONFIG_IP_NF_TARGET_ULOG is not set

CONFIG_IP_NF_TARGET_TCPMSS=m

CONFIG_IP_NF_TARGET_NFQUEUE=m

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_SAME=m

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_NAT_AMANDA=m

CONFIG_IP_NF_NAT_PPTP=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_MARK=m

CONFIG_IP_NF_TARGET_CLASSIFY=m

CONFIG_IP_NF_TARGET_TTL=m

CONFIG_IP_NF_TARGET_CONNMARK=m

# CONFIG_IP_NF_TARGET_CLUSTERIP is not set

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_TARGET_NOTRACK=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARP_MANGLE=m

...

Hope it will help you

bye

loux

----------

## nofff

work for me with -m conntrack --ctstate RELATED,ESTABLISHED

----------

## saepia

Suggestion: If you can't find "state match support" option, select Layer 3 Independent Connection tracking (EXPERIMENTAL) in Core Netfilter Configuration.

----------

## doggizback

same troubles here. i appear to have every option under the sun enabled in the netfilter portion of the kernel config. no love just yet, wondering if it's something possibly as simple as updating iptables? Am on 1.3.5-r1 currently, latest out appears to be 1.3.5-r4

```

gentoob0x linux # iptables -A INPUT -p udp -m udp --dport 1434 -j TARPIT

iptables: Unknown error 4294967295

```

and of course, the .config

```

gentoob0x linux # grep IP_NF_ .config

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

CONFIG_IP_NF_CONNTRACK_EVENTS=y

CONFIG_IP_NF_CONNTRACK_NETLINK=y

CONFIG_IP_NF_CT_PROTO_SCTP=y

CONFIG_IP_NF_FTP=y

CONFIG_IP_NF_IRC=y

CONFIG_IP_NF_NETBIOS_NS=y

CONFIG_IP_NF_TFTP=y

CONFIG_IP_NF_AMANDA=y

CONFIG_IP_NF_PPTP=y

# CONFIG_IP_NF_H323 is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_DSCP=y

CONFIG_IP_NF_MATCH_AH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_MATCH_HASHLIMIT=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

CONFIG_IP_NF_NAT_SNMP_BASIC=y

CONFIG_IP_NF_NAT_IRC=y

CONFIG_IP_NF_NAT_FTP=y

CONFIG_IP_NF_NAT_TFTP=y

CONFIG_IP_NF_NAT_AMANDA=y

CONFIG_IP_NF_NAT_PPTP=y

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_DSCP=y

CONFIG_IP_NF_TARGET_TTL=y

CONFIG_IP_NF_TARGET_CLUSTERIP=y

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

```

andddddd

```

gentoob0x linux # grep NETFILTER .config

CONFIG_NETFILTER=y

CONFIG_NETFILTER_DEBUG=y

CONFIG_BRIDGE_NETFILTER=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=y

CONFIG_NETFILTER_NETLINK_LOG=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y

CONFIG_NETFILTER_XT_TARGET_CONNMARK=y

CONFIG_NETFILTER_XT_TARGET_MARK=y

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y

CONFIG_NETFILTER_XT_TARGET_NOTRACK=y

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_DCCP=y

CONFIG_NETFILTER_XT_MATCH_ESP=y

CONFIG_NETFILTER_XT_MATCH_HELPER=y

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_MARK=y

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_REALM=y

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

```

now, as seen above, these are compiled into the kernel rather than modular. Is this typically a problem?

have never been able to get TARPIT to work. Any ides, anything specifically That I could post that would be of any use that I've omitted? Many thanks in advance

----------

## DeathAndTaxes

Does this error just spontaneously occur?  I've only run gentoo-sources 2.6.17-gentoo-r4 and iptables 1.3.5-r1 EVER, and suddenly this error is coming up with

-m state --state ESTABLISHED,RELATED.

It *was* working for the past 60 days (60 days' uptime), so what could have happened?!?

----------

