iptables: No chain/target/match by that name

qanopus · 03-27-2003, 11:47 AM

Hi,

I'm trying to configure my firewall on my pc. (so no network, only one machine). I did a whole lot to get it up and running. Here is a summery.

Fist I recompiled my kernel to get iptables support. I have kernel 2.4.20. Here is my .config file for my kernel (relevent parts :

#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_MULTIPLE_TABLES is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_CONNTRACK is not set
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
# CONFIG_IP_NF_TARGET_MASQUERADE is not set
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
# CONFIG_IP_NF_TARGET_MARK is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
#
# Appletalk devices
#
# CONFIG_DECNET is not set
# CONFIG_BRIDGE is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_LLC is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_FASTROUTE is not set
# CONFIG_NET_HW_FLOWCONTROL is not set
#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set
#
# Network testing
#
# CONFIG_NET_PKTGEN is not set

At fist I coulden't even find the bit where I could get support for iptables. When atlast I did manage to get ip_tables compiled as module, I got unresolved symboles in the module. Any way I fixed that.

After configuring the kernel, I downloaded and installed guarddog. That went ok. But for some reason when I say to applie the rules I just created I get a hole lot of

iptables: No chain/target/match by that name

messages. After that, I can have no network traffic at all. No till I kill the firewall.
Why? I have downloded some howto's (firewall howto, ipchains howto) but the size of those really intimidate me. Can someone help me out ? Sorry if I left any crucial info out of this post. I really am a newbie at this.

I would apreciate any help. Thanks

Capt_Caveman · 03-27-2003, 10:18 PM

Sounds more like you're missing some modules, rather than a screwed up firewall script. Use lsmod and make sure that you have modules loaded for the iptables flags and chains. Looking at the modules I have loaded now that are relevent for iptables:

ipt_REJECT
ipt_LOG
ipt_state
ipt_MASQUERADE
iptable_nat
ip_conntrack
iptable_filter
ip_tables

I would bet that you're not loading one or more of them. Narrow down what your missing and make and install the lost modules.

What distro are you using? Most should have iptables support or at least ipchains/ipfwadmin built in out of the box. So it's kind of strange that you had to recompile the kernel just to get support. HTH

qanopus · 03-28-2003, 02:41 AM

Thanks for your replie.

I browsed on the internet some more and I came to the same conclusion you did. Right now I have all the modules you summed up except for ipt_MASQUERADE, but i got my firewall up and running none the less. But should I compile ipt_MASQUERADE?

I have a debian woody installation. I had to compile my kernel to get support for some non-standerd hardware (cd recorder, nic interface). But being unexperianced as I am, I didn't include support of netfilter. So when I came round to configure my firewall, I had to recompile the kernel to get support for them after all.

Capt_Caveman · 03-28-2003, 08:46 AM

Unless you plan on adding machines to a internal LAN, you probably won't ever need the Masquerade module.

Just out of curiousity, did you get your firewall up even with those errors? If so, what did you do.

qanopus · 03-29-2003, 06:39 AM

No those errors went away when I compiled and installed some aditional modules.

peter_robb · 04-01-2003, 03:08 AM

Unless you're going to produce a super small kernel, set the kernel options for all the netfilter entries to <M> to make them modules.
This way they will load when they are called from the iptables rules & you won't need to manually load them.

There are also options for ipchains amd ipfwadm.
Say <N> for these to avoid problems later.

Debian left these options as modules for people upgrading from 2.2 kernels and who still want to keep their ipchains scripts.

Sum1 · 01-04-2009, 09:10 PM

Quote:

Originally Posted by Capt_Caveman

Sounds more like you're missing some modules

ipt_MASQUERADE

I would bet that you're not loading one or more of them.

Ahh yeah, 5 years later but it's never too late for a sincere thank you!!
So thanks, Mr. Caveman.
I was trying some new firewall options today on a new routerbox, got myself all confused, and finally couldn't make anything work right.

Pulled my hair for a few hours before finding your post.

Very much appreciated.
Now I'm back on track.

Best regards.