[lug] iptables error
D. Stimits
stimits at idcomm.com
Tue Feb 27 13:39:29 MST 2001
charles at lunarmedia.net wrote:
>
> > I'm not all that familiar with it yet either, but the errors you show
> > below are kernel module errors, not directly firewall (it happens that
>
> actually, the error i was referring to was the
>
> iptables: No chain/target/match by that name
The source appears to be the same in working versus non-working, this
wouldn't be the problem. The target also appears to be the same in
working versus non-working. The match "-m state --state
ESTABLISHED,RELATED" must be the problem. The portions that work are
part of packet filtering, whereas the failing portion is part of the new
iptables features. I wonder if the iptables features are not
running/active?
>
> i am guessing that its getting the errors from insmod because i don't have
> those modules compiled into the kernel, yet the firewall script attempts
> to load them. the result of a script written that tries to apply to
> everyone's individual scenario.
>
> i could be wrong, but i think these errors are okay.
This could be correct. Several scripts make assumptions that everything
is a module. The thing I would wonder about is if all the required
iptables kernel support is active, which appears to be configured
separately from filtering.
>
> i just don't see why the no chain/target/match error is occurring. and
> more importantly, why it goes away when i remove the match params of the
> chains.
>
> -cjm
>
> ###
>
> > the kernel modules it can't find are firewall modules). I'm assuming
> > this is not a default/stock kernel install, and most likely the new
> > kernel modules for these services are missing. On a different note,
> > sometimes multiple kernels are bootable, and one of the bootable kernels
> > has built-in functions, while the others use the same thing as modules;
> > then the peripheral files, like /etc/modules.conf or conf.modules, try
> > to use a module that isn't there and it complains (it works anyway,
> > since the reason the module is missing is because it isn't needed, the
> > support is compiled in). Basically it looks like this is entirely a
> > kernel and kernel module issue.
> >
> > charles at lunarmedia.net wrote:
> > >
> > > I am receiving the following error:
> > >
> > > Firewall script saved as /etc/firestarter/firewall.sh
> > > modprobe: Can't locate module ip_conntrack
> > > modprobe: Can't locate module ipt_REDIRECT
> > > modprobe: Can't locate module ipt_TOS
> > > modprobe: Can't locate module ipt_MASQUERADE
> > > modprobe: Can't locate module ipt_MIRROR
> > > modprobe: Can't locate module iptable_nat
> > > iptables: No chain/target/match by that name
> > > Firewall script restarted
> > >
> > > when I attempt to run iptables with the following line in its config:
> > >
> > > $IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -s 0/0 -d $NET
> > > --dport 1023:65535 -j ACCEPT
> > >
> > > when i edit this line to no longer include state inspection:
> > >
> > > $IPT -A INPUT -p tcp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT
> > >
> > > the error is no longer present and forwarding of packets resumes:
> > >
> > > modprobe: Can't locate module ip_conntrack
> > > modprobe: Can't locate module ipt_REDIRECT
> > > modprobe: Can't locate module ipt_TOS
> > > modprobe: Can't locate module ipt_MASQUERADE
> > > modprobe: Can't locate module ipt_MIRROR
> > > modprobe: Can't locate module iptable_nat
> > > Firewall script restarted
> > >
> > > i am not really familiar with what the "iptables: No chain/target/match by
> > > that name" error implies. especially since it is easily corrected by the
> > > removal of the state inspection.
> > >
> > > i am using a gui for the iptables configuration called firestarter. it
> > > seems pretty stable, and is at the very least a quick way to get an
> > > iptables config going that can be edited be hand to save some typing time.
> > >
> > > i am just not familiar with iptables enough to know what the no chain
> > > match error is getting at.
> > >
> > > thanks! -cjm
More information about the LUG
mailing list