# Wireguard iptables kill switch: No chain/target/match

## jtalowell

In advance: I don't know much about networking and I don't know much about iptables. Please be patient with me.

I have wireguard installed:

```

*  net-vpn/wireguard

      Latest version available: 0.0.20190406

      Latest version installed: 0.0.20190406

```

It is loaded:

```

$ lsmod | grep wireguard

wireguard             204800  0

```

Wireguard on its own works fine as far as I can tell. I want to use the iptables kill switch that my service, Mullvad, provides. However, whenever I try to use wg-quick with the provided generated config I get the following output.

```

 * Starting Wireguard Interface ...

[#] ip link add mullvad-au1 type wireguard

[#] wg setconf mullvad-au1 /dev/fd/63

[#] ip address add 10.99.65.118/32 dev mullvad-au1

[#] ip address add fc00:bbbb:bbbb:bb01::4176/128 dev mullvad-au1

[#] ip link set mtu 1420 up dev mullvad-au1

[#] resolvconf -a mullvad-au1 -m 0 -x

[#] wg set mullvad-au1 fwmark 51820

[#] ip -6 route add ::/0 dev mullvad-au1 table 51820

[#] ip -6 rule add not fwmark 51820 table 51820

[#] ip -6 rule add table main suppress_prefixlength 0

[#] ip -4 route add 0.0.0.0/0 dev mullvad-au1 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

iptables: No chain/target/match by that name.

[#] resolvconf -d mullvad-au1

[#] ip -4 rule delete table 51820

[#] ip -4 rule delete table main suppress_prefixlength 0

[#] ip -6 rule delete table 51820

[#] ip -6 rule delete table main suppress_prefixlength 0

[#] ip link delete dev mullvad-au1                                                         [ !! ]

 * ERROR: mullvad-au1 failed to start

```

I do not get this error on Fedora. I didn't get this error on a previous Gentoo machine. I suspect I'm missing a kernel option but as far as I can tell, I have enabled everything the wiki specifies.

My kernel configuration can be found here.

Does anyone know why this might happen or how I should go ahead debugging?

----------

## NeddySeagoon

jtalowell,

Welcome to Gentoo.

The bit that fails is

```
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT 
```

which is actually two commands.

```
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
```

Those two commands actually do the same thing, once for IPv4 and once for IPv6

After the commands have failed, run them one at a time (as root), just as I have split them up.

Wild guess ... you don't have IPv6 support or IPv6 firewall support in the kernel, so the first one works and the second one fails.

----------

## jtalowell

Thanks for the welcome!

 *NeddySeagoon wrote:*   

> 
> 
> The bit that fails is
> 
> ```
> ...

 

Based on your guess I've checked and can confirm that I get the same error for both IPv4 and IPv6.

----------

## NeddySeagoon

jtalowell,

Make friends with wgetpaste and put your kernel .config onto a pastebin site.

Tell us how you made your kernel too.

----------

## jtalowell

 *NeddySeagoon wrote:*   

> 
> 
> Make friends with wgetpaste and put your kernel .config onto a pastebin site.

 

Is there something wrong with the raw Github link I provided in the original post?

wgetpaste of kernel config as requested: https://bpaste.net/show/46854bbb2623.

I'm not sure exactly what you mean by how I made the kernel.

I used 

```
$ make localmodconfig
```

from a Gentoo live usb before enabling specific things.

I build the kernel using the following commands.

```

$ make -j9

$ make modules_install

$ make install

$ genkernel --lvm --luks --install initramfs

$ emerge @module-rebuild

```

----------

## NeddySeagoon

jtalowell,

I must have been low on caffeine when I read your original post. I missed the kernel config and the iptables in 

```
iptables: No chain/target/match by that name. 
```

.

That its not ip6table says the error in IPv4 related.

To compound that the && means that the second command only runs if the fist succeeds. That's three errors. Sorry about that.

Your kernel has

```
CONFIG_NF_REJECT_IPV4=y

CONFIG_IP_NF_TARGET_REJECT=y

...

CONFIG_NF_REJECT_IPV6=y

CONFIG_IP6_NF_TARGET_REJECT=y
```

So you have the REJECT targets. The OUTPUT chain is free. Its one of the fundamental INPUT, OUTPUT and FORWARD chains.

That leaves a problem with the match. 

Indeed, your MARK options in the kernel are off.

-- edit --

The reason for asking an open question about the kernel build process is that many users use genkernel, which has known shortcomings, which can all be worked around if you know about them.

----------

## jtalowell

 *NeddySeagoon wrote:*   

> 
> 
> Indeed, your MARK options in the kernel are off.

 

Thank you! This was the problem. After enabling this in the kernel I don't have any issues.

----------

