# IPTABLES problem with modules "-m"

## maximillianthethird

Hi all, 

I have following prob ... I'm tryng to set some rules using modules (-m option) in my iptables and it don't work.  Don't understand why

- i start with an empty ruleset

tiefighter root # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain LD (0 references)

target     prot opt source               destination

Chain SANITY (0 references)

target     prot opt source               destination

Chain STATE (0 references)

target     prot opt source               destination

Chain UNCLEAN (0 references)

target     prot opt source               destination

tiefighter root #

tiefighter root #

- I try to add following command 

iptables -I OUTPUT -m owner --uid-owner 1008 -d ! 192.168.1.0/24 -j DROP

and get following error 

iptables: No chain/target/match by that name

- the problem lies in the -m part ... 

if I leave the -m part out and enter 

iptables -I OUTPUT -d ! 192.168.1.0/24 -j DROP

iptables accepts it 

tiefighter root # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere            !192.168.1.0/24

- I checked the man page and the syntax of the -m part is OK.  It even shows  up in the help 

tiefighter root # iptables -I OUTPUT -m owner -h

 OWNER match v1.2.11 options:

[!] --uid-owner userid     Match local uid

[!] --gid-owner groupid    Match local gid

[!] --pid-owner processid  Match local pid

[!] --sid-owner sessionid  Match local sid

[!] --cmd-owner name       Match local command name

Can anybody tell me what's wrong ? 

tks

----------

## maximillianthethird

**** bump ******

----------

## ivanl

Did you compile IP_NF_MATCH_OWNER "Owner match support" into your kernel? If not, did you do it as a module and /bin/lsmod to check if it's loaded? If not, /sbin/modprobe ipt_owner.

----------

## maximillianthethird

I now compiled the option in my kernel.

I did some further reading on this forum, and in some threads it is advised to re-emerge iptables after a kernel  recompile. 

I'm re-emerging iptables right now. 

keep you posted

----------

## maximillianthethird

alas ... it does not work , after recompile and re-emerge iptables

tiefighter init.d # iptables -I OUTPUT -m owner --uid-owner 1008 -d ! 192.168.1.0/24 -j DROP

iptables: No chain/target/match by that name

tiefighter init.d #

----------

## ivanl

```
cat /proc/net/ip_tables_names
```

 and confirm "filter" is listed in the output.

```
cat /proc/net/ip_tables_matches
```

 and confirm "owner" is listed in the output.

----------

## maximillianthethird

hey, we might be getting somewhere 

'owner" is not in the  cat /proc/net/ip_tables_matches output

tiefighter root # cat /proc/net/ip_tables_names

mangle

filter

tiefighter root # cat /proc/net/ip_tables_matches

tcp

udp

icmp

tiefighter root # 

As I am a noob, I"m not sure what cause is, neither what the solution is. 

So I still need all the help I can get ...

----------

## maximillianthethird

**********   BUMP **************

----------

## maximillianthethird

***********  BUMP  **************

----------

## forbjok

Check in /lib/modules/<kernel version here>/kernel/net/ipv4/netfilter if the file ipt_owner.ko is there (unless you built it into the kernel). If so, then the module should be there. In that case try

```
# modprobe ipt_owner
```

If not, did you remember to do 'make modules_install' after the kernel recompile?

----------

## maximillianthethird

SOLVED   :Smile: 

I upgraded my box from kernel 2.6.9 to 2.6.10-r6 and all of a sudden it worked 

go figure   :Shocked: 

----------

## timmi

iptables -t nat -A PREROUTING -m owner -help

...

 OWNER match v1.3.3 options:

[!] --uid-owner userid     Match local uid

[!] --gid-owner groupid    Match local gid

[!] --pid-owner processid  Match local pid

[!] --sid-owner sessionid  Match local sid

[!] --cmd-owner name       Match local command name

NOTE: pid, sid and command matching are broken on SMP

 *maximillianthethird wrote:*   

> SOLVED  
> 
> I upgraded my box from kernel 2.6.9 to 2.6.10-r6 and all of a sudden it worked 
> 
> go figure  

 

----------

