# [SOLVED] iptables LOG target not recognized

## wcg

iptables is reporting the LOG target as unrecognized.

iptables-1.4.0-r1

linux-2.6.27-gentoo-r7

CHOST=x86_64-pc-linux-gnu

It is enabled in the kernel config:

....

CONFIG_NETFILTER=y

....

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_FILTER=y

....

CONFIG_IP_NF_TARGET_LOG=y

Example:

  /sbin/iptables -A INPUT -i eth+ -s $MYHOST_IP \

    -d \! $MY_SUBNET_BROADCAST -m limit -j LOG \

    --log-ip-options --log-tcp-options

(Next iptables command in the firewall script

drops anything incoming on ethernet with

$MY_HOST_IP for source address.)

iptables reports:

  iptables: No chain/target/match by that name

This happens for every iptables command with

a "-j LOG" target.

Works fine with iptables-1.3.8 and linux-2.6.26.5

on an x86 (unpatched vanilla sources).

?

(The only thing that looks maybe relevant in

USE= in make.conf is "-isdnlog". I disabled

it because I have no isdn interfaces installed.

I don't see how that would affect iptables.)

----------

## wcg

PS: system logger is sysklogd.

----------

## toralf

Your're sure to put "-j LOG" to a specific filter rule ? What's about using a more general approach like this :

```
n22 /home/tfoerste # grep LOG /etc/kmyfirewall/kmyfirewall.sh

        $MOD ipt_LOG

        $IPT -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_IN: "

        $IPT -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_OUT: "

        $IPT -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "FW_FWD: "

```

to enable/disable logging for a full chain ?

----------

## wcg

A lot of junk that a chain might handle

I don't want in my logs (netbios broadcasts

from winboxes, etc), so I prefer to use the

-j LOG target in specific rules for those kinds

of packets that I do want to see a report on.

But the '-j LOG" iptables target should be

recognized by iptables either way when

it is enabled in the kernel config for a

compiled and installed kernel.

I'll try reverting iptables to 1.3.8-r? and/or

a newer version from testing and see if that

fixes it. At least I should be able to find out

whether the problem is in the iptables source

or the kernel source. (Does not seem like

a compiler problem.)

----------

## tutaepaki

 *Quote:*   

> iptables: No chain/target/match by that name

 

Note the message. It may refer to chain, target, or match...

The chain and target are probably fine, and it's the rate limiting module missing.

 *Quote:*   

> -m limit

 

Are you sure that module is set up in your kernel too?

Regards

----------

## wcg

[quote="tutaepaki"][quote]iptables: No chain/target/match by that name[/quote]

Note the message. It may refer to chain, target, or match...

The chain and target are probably fine, and it's the rate limiting module missing.

[quote]-m limit[/quote]

Are you sure that module is set up in your kernel too?

Regards[/quote]

Bingo. There are bunch of netfilter config options

that only show up in make menuconfig for kernel 2.6.27+

if you enable "Advanced Netfilter Configuration" before

descending into the next submenu. I did not have

that enabled, so I was not seeing them, and

CONFIG_XT_NETFILTER_MATCH_LIMIT was one of them

(along with a few others that I use).

Fixed. :Smile: 

----------

## tbaac

 *wcg wrote:*   

> 
> 
> (....)
> 
> Bingo. There are bunch of netfilter config options
> ...

 

That's what I've been looking for   :Very Happy: 

The example firewall in http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12

(Code Listing 5.5: /etc/init.d/firewall) contains lines such as:

$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \

      --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"

under the comment "Catch portscanners".  

So me being a relative noob think to myself "Cool, that sounds pretty neat." and include it in my firewall script and I got the error for "iptables: No chain/target/match by that name" for that line.  Through elimination I worked out that it didn't like the "-m limit --limit......." option and found on the web articles suggesting things such as making sure that CONFIG_IP_NF_MATCH_LIMIT is enabled.  (Presumably now known as CONFIG_XT_NETFILTER_MATCH_LIMIT).

I've just been over at the gentoo kernels page trying to find an alternative to gentoo-sources that had the extra limit functionality included.

I found this thread and it solved my problem, but could someone with a bit of knowledge add a reference to "Advanced Netfilter Configuration" to the gentoo wiki articles please?  (Such as http://www.gentoo-wiki.info/HOWTO_Iptables_and_stateful_firewalls and http://www.gentoo-wiki.info/HOWTO_Iptables_for_newbies, plus maybe http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12).  It seems a shame to not include it in the kernel config parts of those articles and its likely to trip others up.

Thanks   :Smile: 

p.s.  I'm loving Gentoo.  I've used it before but always gone back to something less complicated, possibly involving typing "apt-get"   :Embarassed:  ...........  But this time I've got further and I've now got my laptop running Gentoo with everything except /boot setup with LUKS and LVM and running Fluxbox.  I got the bcm4318 wireless working today without ndiswrapper and using WPA, something which I didn't managed with Kubuntu.  This is probably nothing to you guys but I'm feeling really chuffed.    :Cool: 

Anyway, thanks.

----------

