# Gentoo iptables different?

## The_Great_Sephiroth

I normally create a firewall on my laptop which allows me to allow only SMB and SSH connections from my WLAN and LAN interfaces. I do this in Firewall Builder. This is not working in Gentoo. It creates a script which works fine on other Linux systems (with names changed to old names such as eth0) but not on Gentoo. The lines below result in the error "iptables: No chain/target/match by that name."

```

$IPTABLES -A INPUT -i enp0s25  -p tcp -m tcp  -m multiport  --dports 445,135,139,22  -m state --state NEW  -j ACCEPT

$IPTABLES -A INPUT -i enp0s25  -p udp -m udp  -m multiport  --dports 138,137  -m state --state NEW  -j ACCEPT

$IPTABLES -A INPUT -i wlp12s0  -p tcp -m tcp  -m multiport  --dports 445,135,139,22  -m state --state NEW  -j ACCEPT

$IPTABLES -A INPUT -i wlp12s0  -p udp -m udp  -m multiport  --dports 138,137  -m state --state NEW  -j ACCEPT

$IPTABLES -A FORWARD -i enp0s25  -p tcp -m tcp  -m multiport  --dports 445,135,139,22  -m state --state NEW  -j ACCEPT

$IPTABLES -A FORWARD -i enp0s25  -p udp -m udp  -m multiport  --dports 138,137  -m state --state NEW  -j ACCEPT

$IPTABLES -A FORWARD -i wlp12s0  -p tcp -m tcp  -m multiport  --dports 445,135,139,22  -m state --state NEW  -j ACCEPT

$IPTABLES -A FORWARD -i wlp12s0  -p udp -m udp  -m multiport  --dports 138,137  -m state --state NEW  -j ACCEPT

```

Meanwhile the code below works.

```

$IPTABLES -A INPUT -i lo   -m state --state NEW  -j ACCEPT

$IPTABLES -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

```

So why does this work everywhere but in Gentoo? I am lost after spending a few hours trying. My interface names are correct, I do not see spelling errors, and the FW works in Debian if I change the names from enp0s25 to eth0 and wlp12s0 to wlan0. I did compile iptables into my kernel. Well, as modules, not into the kernel.

----------

## lovelytux

Hey The_Great_Sephiroth!

Do you shure that you have:

```
CONFIG_IP_NF_TARGET_REDIRECT=m
```

in your kernel?

lovelytux

----------

## szatox

Iptables doesn't depend on gento oas much as it depends on your kernel's config. There are only a few most basic modules enabled by default, you better check the options and fix it

----------

## pietinger

Maybe you didnt find the module because "Advanced netfilter configuration" is not set. Only if set you find "multiport Multiple port match support" in > Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration.

----------

## NeddySeagoon

The_Great_Sephiroth,

What does the 'z' key do in make menuconfig ?

Small hint: Its a toggle function

Bigger hint, you will find it useful

----------

## The_Great_Sephiroth

I will check the kernel configuration tomorrow morning. As for "z", I assume it does like other keys and goes to whatever starts with "z". I know that "/" searches.

----------

## The_Great_Sephiroth

You are correct, I did not have the advanced configuration set. I enabled it and am not enabling more options.

Also, the "z" key is nice. Shows everything regardless of options. Oh, and I was mistaken. 99% of my iptables stuff is built in-kernel, not as modules.

----------

## The_Great_Sephiroth

Alright, all is good. The "multiport" option was not selected. My firewall is up and allows only SMB and SSH connections.

```

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m state --state INVALID -j DROP

-A INPUT -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A INPUT -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A INPUT -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A INPUT -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A INPUT -i lo -m state --state NEW -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state INVALID -j DROP

-A FORWARD -m state --state NEW -j ACCEPT

-A FORWARD -i enp0s25 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A FORWARD -i enp0s25 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A FORWARD -i wlp12s0 -p tcp -m tcp -m multiport --dports 445,135,139,22 -m state --state NEW -j ACCEPT

-A FORWARD -i wlp12s0 -p udp -m udp -m multiport --dports 138,137 -m state --state NEW -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state NEW -j ACCEPT

```

It isn't fancy, but it works! Now I need to figure out a way to add rules when ppp0 comes up (VPN) and delete those rules when it goes down.

----------

## The_Great_Sephiroth

Alright, got that working also! I added the following two scripts and they work.

/etc/ppp/ip-up.d/90-iptables.sh

```

#!/bin/bash

# If the interface was specified, add the rule

if [ $# -eq 6 ] && [ ! -z "$1" ]; then

  iptables -A INPUT -i $1 -m state --state NEW -j ACCEPT

fi

```

/etc/ppp/ip-down.d/90-iptables.sh

```

#!/bin/bash

# If the interface was specified, delete the rule

if [ $# -eq 6 ] && [ ! -z "$1" ]; then

  iptables -D INPUT -i $1 -m state --state NEW -j ACCEPT

fi

```

This adds and deletes the rule no matter what VPN connection a user initiates. I am golden now!

----------

