# Gentoo Router Problemchen mit den iptables

## utang

einen schönen Guten Abend! =)

Mein Problemchen liegt irgendow... hmm ich weiss es leider nicht... weiss jemand vlt. wie ich diese iptables: No chain/target/match by that name Meldung weg bekomme ...

```
genbox flex # /etc/init.d/iptables start

 * Stopping firewall...                                                                                          [ ok ]

 * Starting firewall...

 * Setting internal rules...

 * Setting default rule to drop

 * Creating states chain

 * Creating fragments chain

iptables: No chain/target/match by that name

 * Creating invalid detection chain

iptables: No chain/target/match by that name

 * Creating spoofing detection chain

iptables: No chain/target/match by that name

 * Creating portscan detection chain (based on flags)

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

 * Creating portscan detection chain (based on ports)

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

 * Creating trojan scan  detection chain

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

 * Creating icmp chains

iptables: No chain/target/match by that name

 * Creating ping chain

 * Creating ftp chain

 * Creating ssh chain

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

 * Creating smtp chain

 * Creating dns chain

 * Creating dhcp chain

 * Creating http/https chain

 * Creating pop3 chain

 * Creating ident chain

 * Creating ident chain

 * Creating news chain

 * Creating ntp chain

 * Creating smb chain

 * Creating imap chain

 * Creating ldap chain

 * Creating rsync chain

 * Creating cvs chain

 * Creating icq chain

 * Creating irc chain

 * Creating teamspeak chain

 * Creating cddb chain

 * Creating pgp chain

 * Creating squid chain

 * Creating distcc chain

 * Applying general protection to input

 * Applying general protection to forward

 * Applying general protection to output

 * Creating directional chains

 * Applying rules to external-to-fw chain

 * Applying rules to internal-to-external chain

 * Applying rules to fw-to-external chain

 * Applying rules to fw-to-internal chain

 * Applying rules to external-to-internal chain

 * Masquerading external Connections                                                                       [ ok ]

 * Enabling forwarding for ipv4                                                                                  [ ok ]

genbox flex # 

```

die iptables sind erstmal so aufgebut wie in diesem Gentoo Router script https://forums.gentoo.org/viewtopic.php?p=377447&highlight=#377447

- mfg -

----------

## DrAt0mic

Hallo!

Geh mal davon aus, dass dir irgendwelche Module fehlen! Solltest mal in deiner Kernel Config nachsehen, ob auch alles im Kernel ist bzw. die entsprechenden Module nachladen!

----------

## utang

ich habe mal Profisorisch erstmal alles hinein genommen...

ein Auszug aus der Netzwerkgeschichte im Kernel:

```
#

# Networking support

#

CONFIG_NET=y

#

# Networking options

#

CONFIG_PACKET=y

CONFIG_PACKET_MMAP=y

# CONFIG_NETLINK_DEV is not set

CONFIG_UNIX=y

# CONFIG_NET_KEY is not set

CONFIG_INET=y

# CONFIG_IP_MULTICAST is not set

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_MULTIPLE_TABLES=y

# CONFIG_IP_ROUTE_FWMARK is not set

CONFIG_IP_ROUTE_NAT=y

# CONFIG_IP_ROUTE_MULTIPATH is not set

# CONFIG_IP_ROUTE_TOS is not set

# CONFIG_IP_ROUTE_VERBOSE is not set

# CONFIG_IP_PNP is not set

# CONFIG_NET_IPIP is not set

# CONFIG_NET_IPGRE is not set

# CONFIG_ARPD is not set

CONFIG_INET_ECN=y

# CONFIG_SYN_COOKIES is not set

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

#

# IP: Virtual Server Configuration

#

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

# CONFIG_DECNET is not set

# CONFIG_BRIDGE is not set

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_FTP=y

CONFIG_IP_NF_IRC=y

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

CONFIG_IP_NF_QUEUE=y

CONFIG_IP_NF_IPTABLES=y

# CONFIG_IP_NF_MATCH_LIMIT is not set

# CONFIG_IP_NF_MATCH_IPRANGE is not set

CONFIG_IP_NF_MATCH_MAC=y

CONFIG_IP_NF_MATCH_PKTTYPE=y

CONFIG_IP_NF_MATCH_MARK=y

CONFIG_IP_NF_MATCH_MULTIPORT=y

# CONFIG_IP_NF_MATCH_TOS is not set

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

# CONFIG_IP_NF_MATCH_DSCP is not set

# CONFIG_IP_NF_MATCH_AH_ESP is not set

# CONFIG_IP_NF_MATCH_LENGTH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

CONFIG_IP_NF_MATCH_TCPMSS=y

CONFIG_IP_NF_MATCH_HELPER=y

CONFIG_IP_NF_MATCH_STATE=y

CONFIG_IP_NF_MATCH_CONNTRACK=y

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

# CONFIG_IP_NF_TARGET_REDIRECT is not set

# CONFIG_IP_NF_TARGET_NETMAP is not set

# CONFIG_IP_NF_TARGET_SAME is not set

# CONFIG_IP_NF_NAT_LOCAL is not set

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_IRC=y

CONFIG_IP_NF_NAT_FTP=y

CONFIG_IP_NF_MANGLE=y

# CONFIG_IP_NF_TARGET_TOS is not set

# CONFIG_IP_NF_TARGET_ECN is not set

# CONFIG_IP_NF_TARGET_DSCP is not set

CONFIG_IP_NF_TARGET_MARK=y

# CONFIG_IP_NF_TARGET_CLASSIFY is not set

CONFIG_IP_NF_TARGET_LOG=y

# CONFIG_IP_NF_TARGET_ULOG is not set

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

#

# SCTP Configuration (EXPERIMENTAL)

#

CONFIG_IPV6_SCTP__=y

# CONFIG_IP_SCTP is not set

# CONFIG_ATM is not set

# CONFIG_VLAN_8021Q is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_NET_DIVERT is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

# CONFIG_NET_FASTROUTE is not set

# CONFIG_NET_HW_FLOWCONTROL is not set

#

# QoS and/or fair queueing

#

# CONFIG_NET_SCHED is not set

#

# Network testing

#

# CONFIG_NET_PKTGEN is not set

CONFIG_NETDEVICES=y

#

# ARCnet devices

#

# CONFIG_ARCNET is not set

CONFIG_DUMMY=y

# CONFIG_BONDING is not set

# CONFIG_EQUALIZER is not set

# CONFIG_TUN is not set

# CONFIG_NET_SB1000 is not set

#

# Ethernet (10 or 100Mbit)

#

CONFIG_NET_ETHERNET=y

# CONFIG_MII is not set

# CONFIG_HAPPYMEAL is not set

# CONFIG_SUNGEM is not set

# CONFIG_NET_VENDOR_3COM is not set

#

# Tulip family network device support

#

# CONFIG_NET_TULIP is not set

# CONFIG_HP100 is not set

CONFIG_NET_PCI=y

# CONFIG_PCNET32 is not set

# CONFIG_AMD8111_ETH is not set

# CONFIG_ADAPTEC_STARFIRE is not set

# CONFIG_B44 is not set

# CONFIG_FORCEDETH is not set

# CONFIG_DGRS is not set

# CONFIG_EEPRO100 is not set

CONFIG_E100=y

# CONFIG_FEALNX is not set

# CONFIG_NATSEMI is not set

# CONFIG_NE2K_PCI is not set

# CONFIG_8139CP is not set

# CONFIG_8139TOO is not set

# CONFIG_SIS900 is not set

# CONFIG_EPIC100 is not set

# CONFIG_SUNDANCE is not set

# CONFIG_TLAN is not set

# CONFIG_VIA_RHINE is not set

#

# Ethernet (1000 Mbit)

#

# CONFIG_ACENIC is not set

# CONFIG_DL2K is not set

# CONFIG_E1000 is not set

# CONFIG_NS83820 is not set

# CONFIG_HAMACHI is not set

# CONFIG_YELLOWFIN is not set

# CONFIG_R8169 is not set

# CONFIG_SIS190 is not set

# CONFIG_SK98LIN is not set

# CONFIG_NET_BROADCOM is not set

# CONFIG_TIGON3 is not set

#

# Ethernet (10000 Mbit)

#

# CONFIG_IXGB is not set

# CONFIG_FDDI is not set

# CONFIG_HIPPI is not set

CONFIG_PPP=y

# CONFIG_PPP_MULTILINK is not set

# CONFIG_PPP_FILTER is not set

CONFIG_PPP_ASYNC=y

CONFIG_PPP_SYNC_TTY=y

# CONFIG_PPP_DEFLATE is not set

# CONFIG_PPP_BSDCOMP is not set

CONFIG_PPPOE=y

# CONFIG_SLIP is not set

#

# Wireless LAN (non-hamradio)

#

# CONFIG_NET_RADIO is not set

#

# Token Ring devices

#

# CONFIG_TR is not set

# CONFIG_NET_FC is not set

# CONFIG_RCPCI is not set

# CONFIG_SHAPER is not set

#

# Wan interfaces

#

# CONFIG_WAN is not set

```

was könnte den fehlen?

----------

## utang

ich habe jetzt mal eins von Hand in die Konsole eingegeben,um zu sehen wo er denn n Fehler bringt...

"Creating fragments chain"

```
genbox flex # /sbin/iptables -N disallow-fragments

genbox flex # /sbin/iptables -F disallow-fragments

genbox flex # /sbin/iptables -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "

iptables: No chain/target/match by that name

genbox flex # /sbin/iptables -A disallow-fragments -f -j DROP

```

vlt. kann jemand damit mehr anfangen...

----------

## toskala

mal davon ab das er bei mir das hier anmeckert:

```

gatecrash root # /sbin/iptables -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix

iptables v1.2.9: Unknown arg `--log-prefix'

Try `iptables -h' or 'iptables --help' for more information.
```

funktioniert es die regel anzulegen etc.

merge mal deine iptables neu. das behebt manchmal einige probleme.

----------

## DrAt0mic

 *utang wrote:*   

> ich habe jetzt mal eins von Hand in die Konsole eingegeben,um zu sehen wo er denn n Fehler bringt...
> 
> "Creating fragments chain"
> 
> ```
> ...

 

Meine Vermutung wäre, dass "CONFIG_IP_NF_MATCH_LIMIT" fehlt! Damit funktioniert das "-m limit --limit 6/minute" nämlich nicht!

Probier das mal!

----------

## utang

ok, vielen dank, genau daran hat es gelegen... mit dem einkompilieren dieser Option gingen auch die Anderen Fehlermeldungen weg! ...

Gibt es irgendwo ne Ungefähre Übersicht welche Optionen im Kernel bzw. welche Module gerade für das IPTABLES notwendig sind um halt deren Funktion nutzen zu können?

----------

## utang

axo, ich habe da noch eine Frage und zwar würde mich noch interessieren wo er die Meldungen die geloggt werden sollen hinschreibt (etwa in die /var/log/messages) und wie ich herrausfinden kann welchen Port ich für das Programm rdesktop in die regeln aufnehmen damit ich eine Verbindung aufbauen kann... 

denn mit den regeln hier (https://forums.gentoo.org/viewtopic.php?p=377447&highlight=#377447) funktioniert es nämlich nicht.

EDIT:

mit einem netstat sehe ich zwar das er sin syn PAcket verschickt aber dann tut sich nichts, und rdesktop wartet immer noch darauf eine verbindung aufbauen zukönnen,aber diese wird anscheind durch die Filterregeln verworfen...

```
netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      1 -edit-ip- -edit-ip-:3389      SYN_SENT   
```

----------

## Spida

Wo der das hinloggt, hängt von deinem logger und dessen config ab.

Bei metalog würde ich in /var/log/everything/current oder /var/log/kernel/current anfangen zu suchen, bei syslog[-ng] in /var/log/kern.log. Wo es bei genau liegt, weiss ich nicht, ich habe mir meinen syslog-ng so konfiguriert, das es in /var/log/firewall.log liegt. In dem Zusammenhang kann ich nur den gentoo-security-guide empfehlen, da ist nen schöne Beispielconfig für den syslog-ng drin.

Wenn du das rausgefunden hast, geh mal auf die neue Homepage von meinem Firewall Script, und aktiviere das debugging für die entsprechende Richtung.

----------

