Re: Iptables fails on -m state --state!

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: Iptables fails on -m state --state!
  2005-02-17 18:07 Iptables fails on -m state --state! Marco
@ 2005-02-17 17:36 ` Samuel Jean
  2005-02-18 21:16   ` Marco
  0 siblings, 1 reply; 5+ messages in thread
From: Samuel Jean @ 2005-02-17 17:36 UTC (permalink / raw)
  To: Marco; +Cc: netfilter

On Thu, February 17, 2005 1:07 pm, Marco said:
> Hi there,
>
> even if the corresponding module is built into the kernel and loaded,
> iptables fails (No chain/target/match with that name, or something like
> that).
>
> What can I do?

Please show us the output of :

cat /proc/net/ip_tables_matches | grep state

And show us the rule you did input.

>
> Thanks
>
> Marco Nicoloso
>
>

Best regards,
Samuel



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Iptables fails on -m state --state!
@ 2005-02-17 18:07 Marco
  2005-02-17 17:36 ` Samuel Jean
  0 siblings, 1 reply; 5+ messages in thread
From: Marco @ 2005-02-17 18:07 UTC (permalink / raw)
  To: Netfilter Mailing List

Hi there,

even if the corresponding module is built into the kernel and loaded, 
iptables fails (No chain/target/match with that name, or something like 
that).

What can I do?

Thanks

Marco Nicoloso

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Iptables fails on -m state --state!
  2005-02-18 21:16   ` Marco
@ 2005-02-18 20:16     ` Jason Opperisano
  2005-02-18 21:47       ` Marco
  0 siblings, 1 reply; 5+ messages in thread
From: Jason Opperisano @ 2005-02-18 20:16 UTC (permalink / raw)
  To: netfilter

On Fri, Feb 18, 2005 at 09:16:21PM +0000, Marco wrote:
> cat /proc/net/ip_tables_matches | grep state doesn't return anything but 
> the contents of ip_tables_matches are:
> 
> tcp
> udp
> icmp

it sounds an awful lot like you compiled your kernel without:

  CONFIG_IP_NF_MATCH_STATE=y

and you would obviously also need:

  CONFIG_IP_NF_CONNTRACK=y

in there as well...

-j

--
"When will I learn? The answer to life's problems aren't at the bottom
 of a bottle, they're on TV!"
         --The Simpsons


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Iptables fails on -m state --state!
  2005-02-17 17:36 ` Samuel Jean
@ 2005-02-18 21:16   ` Marco
  2005-02-18 20:16     ` Jason Opperisano
  0 siblings, 1 reply; 5+ messages in thread
From: Marco @ 2005-02-18 21:16 UTC (permalink / raw)
  To: Samuel Jean; +Cc: netfilter

Samuel Jean wrote:

>On Thu, February 17, 2005 1:07 pm, Marco said:
>  
>
>>Hi there,
>>
>>even if the corresponding module is built into the kernel and loaded,
>>iptables fails (No chain/target/match with that name, or something like
>>that).
>>
>>What can I do?
>>    
>>
>
>Please show us the output of :
>
>cat /proc/net/ip_tables_matches | grep state
>
>And show us the rule you did input.
>
>  
>
>>Thanks
>>
>>Marco Nicoloso
>>
>>
>>    
>>
>
>Best regards,
>Samuel
>
>
>  
>
cat /proc/net/ip_tables_matches | grep state doesn't return anything but 
the contents of ip_tables_matches are:

tcp
udp
icmp

while the rules are (I post my script entirely):
#!/bin/bash
/sbin/iptables -v -P INPUT DROP
/sbin/iptables -v -P OUTPUT DROP
/sbin/iptables -v -P FORWARD DROP
/sbin/iptables -v -N bad_tcp_packets
/sbin/iptables -v -N allowed
/sbin/iptables -v -N tcp_packets
/sbin/iptables -v -N udp_packets
/sbin/iptables -v -N icmp_packets
/sbin/iptables -v -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK 
-m state --state NEW -j REJECT --reject-with tcp-reset      #Fails
/sbin/iptables -v -A bad_tcp_packets -p TCP ! --syn -m state --state NEW 
-j LOG --log-prefix "New not syn:"                                      
#FAILS
/sbin/iptables -v -A bad_tcp_packets -p TCP ! --syn -m state --state NEW 
-j DROP   #FAILS
/sbin/iptables -v -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -v -A allowed -p TCP -m state --state ESTABLISHED,RELATED 
-j ACCEPT      #FAILS
/sbin/iptables -v -A allowed -p TCP -j DROP
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
/sbin/iptables -v -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -v -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i eth0 -s 192.168.0.240/28 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i lo -j ACCEPT
/sbin/iptables -v -A INPUT -p UDP -i eth0 --dport 67 --sport 68 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT   #FAILS
/sbin/iptables -v -A INPUT -p TCP -i eth1 -j tcp_packets
/sbin/iptables -v -A INPUT -p UDP -i eth1 -j udp_packets
/sbin/iptables -v -A INPUT -p ICMP -i eth1 -j icmp_packets
/sbin/iptables -v -A INPUT -m limit --limit 3/minute --limit-burst 3 -j 
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "   #FAILS
/sbin/iptables -v -A FORWARD -p tcp -j bad_tcp_packets
/sbin/iptables -v -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -v -A FORWARD -m state --state ESTABLISHED,RELATED -j 
ACCEPT   #FAILS
/sbin/iptables -v -A FORWARD -m limit --limit 3/minute --limit-burst 3 
-j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "   #FAILS
/sbin/iptables -v -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/sbin/iptables -v -A OUTPUT -p ALL -s 14.0.217.49 -j ACCEPT
/sbin/iptables -v -A OUTPUT -p ALL -o eth1 -j ACCEPT
/sbin/iptables -v -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j 
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "   #FAILS




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Iptables fails on -m state --state!
  2005-02-18 20:16     ` Jason Opperisano
@ 2005-02-18 21:47       ` Marco
  0 siblings, 0 replies; 5+ messages in thread
From: Marco @ 2005-02-18 21:47 UTC (permalink / raw)
  To: Jason Opperisano, Netfilter Mailing List

Jason Opperisano wrote:

>On Fri, Feb 18, 2005 at 09:16:21PM +0000, Marco wrote:
>  
>
>>cat /proc/net/ip_tables_matches | grep state doesn't return anything but 
>>the contents of ip_tables_matches are:
>>
>>tcp
>>udp
>>icmp
>>    
>>
>
>it sounds an awful lot like you compiled your kernel without:
>
>  CONFIG_IP_NF_MATCH_STATE=y
>
>and you would obviously also need:
>
>  CONFIG_IP_NF_CONNTRACK=y
>
>in there as well...
>
>-j
>
>--
>"When will I learn? The answer to life's problems aren't at the bottom
> of a bottle, they're on TV!"
>         --The Simpsons
>
>  
>
Of Course I did, as I said in the previous post! But I think I'll try 
with a different kernel version (maybe the vanilla sources for 2.6.10). 
Thanks.

Marco Nicoloso



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2005-02-18 21:47 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-17 18:07 Iptables fails on -m state --state! Marco
2005-02-17 17:36 ` Samuel Jean
2005-02-18 21:16   ` Marco
2005-02-18 20:16     ` Jason Opperisano
2005-02-18 21:47       ` Marco

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.