# [SOLVED] iptables-restore: failed on COMMIT

## Joseph_sys

I'm using kernel 2.6.27-gentoo-r8 and iptables fails to load:

```
iptables-restore /var/lib/iptables/rules-save

iptables-restore: line 9 failed
```

Line 9 is COMMIT

```
# Generated by iptables-save v1.4.2 on Sun Apr  5 14:22:04 2009

*nat

:PREROUTING ACCEPT [74617:11327302]

:POSTROUTING ACCEPT [2945648:183312981]

:OUTPUT ACCEPT [1333419:86572588]

[546153:32778033] -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 31 -j ACCEPT

[0:0] -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner 31 -j ACCEPT

[1066076:63962360] -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

COMMIT

# Completed on Sun Apr  5 14:22:04 2009

# Generated by iptables-save v1.4.2 on Sun Apr  5 14:22:04 2009

*mangle

:PREROUTING ACCEPT [118316676:78375547856]

:INPUT ACCEPT [118315247:78375093450]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [120391939:74176530602]

:POSTROUTING ACCEPT [120464737:74186149888]

COMMIT

# Completed on Sun Apr  5 14:22:04 2009

# Generated by iptables-save v1.4.2 on Sun Apr  5 14:22:04 2009

*filter

:INPUT ACCEPT [118315247:78375093450]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [120391939:74176530602]

COMMIT

# Completed on Sun Apr  5 14:22:04 2009
```

apparently it fails on the line above, but I can not figure it one which one.  All the filters are build into the kernel, here are relevant entries (I think):

```
grep -i "NETFILTER" .config

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_NETFILTER_ADVANCED=y

# Core Netfilter Configuration

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

# CONFIG_NETFILTER_NETLINK_LOG is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y

# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set

# CONFIG_NETFILTER_XT_TARGET_DSCP is not set

CONFIG_NETFILTER_XT_TARGET_MARK=y

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y

CONFIG_NETFILTER_XT_TARGET_NFLOG=y

# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set

# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set

# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set

# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_DCCP=y

CONFIG_NETFILTER_XT_MATCH_DSCP=y

CONFIG_NETFILTER_XT_MATCH_ESP=y

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_MARK=y

# CONFIG_NETFILTER_XT_MATCH_OWNER is not set

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_QUOTA=y

# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

CONFIG_NETFILTER_XT_MATCH_REALM=y

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STATISTIC=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

# CONFIG_NETFILTER_XT_MATCH_TIME is not set

# CONFIG_NETFILTER_XT_MATCH_U32 is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

# IP: Netfilter Configuration
```

Does anybody have any ideas which one I'm missing?Last edited by Joseph_sys on Fri Apr 10, 2009 5:24 am; edited 1 time in total

----------

## Hu

An unfortunate consequence of how iptables-restore inserts the tables is that you can only tell which table failed, not which rule within the table was cause for the failure.  Since you have a failure on line 9, everything in nat is suspect.  The easiest way to find the problematic rule is to add each of those rules by hand.  When you reach the one which fails, it will fail at the command line as well.

You have omitted the owner match, but you are using a uid ownership match.

----------

## Joseph_sys

I was following this guide to set it up:

http://www.linux.com/articles/113733

in the past it worked but when I try it now eg:

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables: No chain/target/match by that name
```

What does it mean "No chain/target/match by that name"?

----------

## Dairinin

I think that's the last iptables version bump. Filtering in the nat table is no longer supported.

----------

## Joseph_sys

Any idea what replaces the iptables filtering or how to go about it?

----------

## Dairinin

 *Joseph_sys wrote:*   

> Any idea what replaces the iptables filtering or how to go about it?

 

Do it in the filter table, as expected by design  :Smile: 

----------

## Joseph_sys

Any pointers to "howto"?

----------

## Dairinin

Here we go

----------

## Hu

 *Joseph_sys wrote:*   

> I was following this guide to set it up:
> 
> http://www.linux.com/articles/113733
> 
> in the past it worked but when I try it now eg:
> ...

 

You attempted to append to a missing chain, use a match for which no implementation is available, or jump to a target which does not exist.  ACCEPT is a built-in target.  OUTPUT is a built-in chain.  That leaves the match.  As I said before, you left out support for owner based matching, but you are trying to use an owner based match.  You need to enable NETFILTER_XT_MATCH_OWNER.

----------

## Joseph_sys

 *Hu wrote:*   

> 
> 
> You attempted to append to a missing chain, use a match for which no implementation is available, or jump to a target which does not exist.  ACCEPT is a built-in target.  OUTPUT is a built-in chain.  That leaves the match.  As I said before, you left out support for owner based matching, but you are trying to use an owner based match.  You need to enable NETFILTER_XT_MATCH_OWNER.

 

Thank you Hu, your reply is a true Gentoo attitude when it comes to help (not like the one above :-/)

And yes, you are correct, my kernel was missing:

```
CONFIG_NETFILTER_XT_MATCH_OWNER=y
```

 after kernel upgrade to  2.6.27-gentoo-r8 it seems to me they must have re-arrange these module somehow so it was missing.  I was able to figure it out on my own but it took me a while to get it as I'm not a guru in iptables. 

Anyhow, now it works.

There is a good how to with Dansguardian+Squid+iptables at:

http://www.linux.com/articles/113733

the only section that is missing is the correct kernel configuration and sometimes it is the biggest pain especially for those who are not familiar with iptables to decipher it  :Smile: 

----------

