No chain/target/match by that name

Steve Turnbull steve.turnbull at yhgfl.net
Tue Sep 7 01:38:30 CEST 2004


Alistair Tonner wrote:
> On September 5, 2004 10:31 am, Steve Turnbull wrote:
> 
>>Hi
>>
>>Our web server is configured;
>>Debian (Woody) (No X installed)
>>Kernel 2.4.23 - configured with iptables in mind
>>iptables v1.2.6a
>>
>>When we start the firewall script, we get this message;
>>'No chain/target/match by that name'
> 
> 
> 	urmm ... try rebuilding iptables code against this kernel?
> 
> 	I'm not sure about Debian's packages, but is it possible that the iptables 
> code is precompiled here?
> 
> 
>>The firewall works however, but is constantly logging;
>>'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT=
>>MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93
>>DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP
>>SPT=53 DPT=32833 LEN=282'
> 
> 	
> 	This looks like a reply to a DNS query.   It the state rule below didn't get 
> accepted this looks correct.
> 
> 
>>Something is ammis here, and we can't ping out from the server with the
>>firewall running, also, we can't use Lynx to browse. Turn the firewall
>>off and all is well for both of these.
> 
> 	
> 	You haven't included any rules here that regard ICMP -- no pings.
> 
> 
>>Has anybody got any ideas what is wrong? Our firewall rule is below.
>>
>>Regards
>>Steve
>>
>>
>>
>>#!/bin/sh
>>
>>
>>#
>># This is the firewall up script.
>>#
>>
>>#
>># Lets start by dropping all incoming traffic and allowing all
>># outbound traffic
>>#
>>
>>iptables -P INPUT DROP
>>iptables -P FORWARD DROP
>>iptables -P OUTPUT ACCEPT
>>
>>
>>
>># Flush any existing rules...
>>iptables -F
>>
>>
>># Allow any established connections to come on through...
>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>># This is a web server. We only require access to http ports
>># 80,21,53 and 443. New ports to allow will be added here...
>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>>
>>#ssh
>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>
>>#ftp
>>iptables -A INPUT -p tcp --dport 21 -j ACCEPT
>>
>>#DNS
>>iptables -A INPUT -p tcp --dport 53 -j ACCEPT
>>iptables -A INPUT -p udp --dport 53 -j ACCEPT
>>
>>
>># Allow the loopback connection...
>>iptables -A INPUT -i lo -j ACCEPT
>>
>>
>># Log stuff that doesn't match above rules...
>>iptables -A INPUT -j LOG --log-prefix="Input: "
> 
> 
Turns out that it just needed some exra stuff comiling into the kernel - 
I added all of the state options and all is well now, thanks for he help

Steve

-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull at yhgfl.net




More information about the netfilter mailing list