iptables: No chain/target/match by that name

Support for security such as Firewalls and securing linux
Post Reply
origon
Posts: 3
Joined: 2012/05/17 10:53:40

iptables: No chain/target/match by that name

Post by origon » 2012/05/17 13:02:37

Hi,

Long time on Linux but first time with Centos 6.2
I try to configure a firewall on a virtual server

When I send a simple command like that
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I received the error
iptables: No chain/target/match by that name

But If I send another command like
iptables -A INPUT -i venet0:0 -p tcp --dport 22 -j ACCEPT
There is no error !
iptables seems to be correctly installed

Somebody can help me ? Thanks in advance

Origon

Crunch
Posts: 101
Joined: 2012/04/02 11:24:46

Re: iptables: No chain/target/match by that name

Post by Crunch » 2012/05/18 00:49:35

Hi

Thanks for posting. This [url=http://lists.netfilter.org/pipermail/netfilter/2006-January/064454.html]post[/url] from the netlink list may be helpful. It suggests using the -t filter option.

origon
Posts: 3
Joined: 2012/05/17 10:53:40

Re: iptables: No chain/target/match by that name

Post by origon » 2012/05/18 12:06:16

Thank you Crunch for your reply

but there is the same error with the line
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I not understand... 100 persons have read my message
and there is no solution !
No body use iptables ??
No body has the same error ??

Origon

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

iptables: No chain/target/match by that name

Post by pschaff » 2012/05/18 13:43:37

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature, and note the part in [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28726&forum=54]Readme First[/url] about expectations for answers, and when/how to bump a thread. Your post complaining about the lack of an immediate answer followed your first by less than 24 hours, and you have had an answer, just not one you liked.

Most people with a clue about security use iptables, but not everyone enters their own rules manually. It might help if you provided [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28723&forum=54]more information[/url] such as the output of [b]iptables-save[/b] to give people more to work from. Inspecting that output might also give you some ideas.

Crunch
Posts: 101
Joined: 2012/04/02 11:24:46

Re: iptables: No chain/target/match by that name

Post by Crunch » 2012/05/18 16:14:59

I note that the error occurs when you try to use the connection tracking options. Are the right modules loaded?

Incidentally, starting and stopping iptables on CentOS is best doen with /etc/init.d/iptables script. This should ensure the right modules are loaded. There is also a firewall configuration file under /etc/sysconfig which is used to load rules at startup.

origon
Posts: 3
Joined: 2012/05/17 10:53:40

Re: iptables: No chain/target/match by that name

Post by origon » 2012/05/19 20:01:22

Here is the output of iptables-save

# Generated by iptables-save v1.4.7 on Sat May 19 21:47:18 2012
*mangle
:PREROUTING ACCEPT [440930:88161069]
:INPUT ACCEPT [440930:88161069]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [454124:233647049]
:POSTROUTING ACCEPT [454124:233647049]
COMMIT
# Completed on Sat May 19 21:47:18 2012
# Generated by iptables-save v1.4.7 on Sat May 19 21:47:18 2012
*filter
:INPUT ACCEPT [100539:19479398]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109872:62753840]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i venet0:0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat May 19 21:47:18 2012

Concerning the module, I think there is no module loaded for iptables
The output of lsmod id empty
How to find module ?

Crunch
Posts: 101
Joined: 2012/04/02 11:24:46

Re: iptables: No chain/target/match by that name

Post by Crunch » 2012/05/19 21:41:24

If you would like us to assist further, please do as pschaff suggests and post the additional output [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28723&forum=54]more output[/url]

Also I would verify the following to make sure they haven't been tampered with

rpm -V kernel iptables iptables-ipv6

Other than this, I'm not to sure what to suggest. I haven't used iptables in a while. I thought this might be a quicky, but maybe not. If the above packages have been tampered with or damaged in some way, I would reinstall. My newly installed CentOS 6.2 allows me to add that rule even when the modules aren't loaded; ie the modules are auto-loaded. Admittedly I'm not running any virtualization software as I gather you might be from the venet device.

The only time I could replicate that error is when I used a chian that didn't exist.

If it is any help, my modules look like this:

lsmod|egrep '(nf_|xt_)'
nf_conntrack_ipv4 7694 1
nf_defrag_ipv4 1039 1 nf_conntrack_ipv4
nf_conntrack_ipv6 7207 2
nf_defrag_ipv6 9873 1 nf_conntrack_ipv6
xt_state 1064 3
nf_conntrack 65524 3 nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ipv6 264641 28 cnic,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6

Post Reply