Log Problem

Log Problem

[David Ashwood]

 Hi,
I’m having problems logging packets (IPTables: 1.2.8 Kernel: 2.4.8) with the
following rule (from the  FAQ):

iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP

On the log line I get:
iptables: No chain/target/match by that name

I’m a little lost – any pointers?

Regards,
David 

Log Problem

['Me']

 Hi,
I’m having problems logging packets (IPTables: 1.2.8 Kernel: 2.4.8) with the
following rule (from the  FAQ):

iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP

On the log line I get:
iptables: No chain/target/match by that name

I’m a little lost – any pointers?

Regards,
David 

Re: Log Problem

[Antony Stone]

On Monday 09 August 2004 5:40 pm, 'Me' wrote:

>  Hi,
> I’m having problems logging packets (IPTables: 1.2.8 Kernel: 2.4.8) with
> the following rule (from the  FAQ):
>
> iptables -N logdrop
> iptables -A logdrop -j LOG
> iptables -A logdrop -j DROP
>
> On the log line I get:
> iptables: No chain/target/match by that name
>
> I’m a little lost – any pointers?

It seems unlikely, but has your kernel been compiled without support for the 
LOG target (and by the way, why are you using a three year old kernel 
anyway?)?

Test one thing at a time:

1. Can you use the LOG target?
iptables -A INPUT -j LOG

2. Can you put a rule into a user-defined chain?
iptables -N logdrop
iptables -A logdrop -j DROP

If both the above tests work, then there is no reason you shouldn't be able to 
put a LOG target into your user-defined chain (so check very carefully the 
syntac of what you are typing when you get the error, etc).

If one of the above tests fails, you know where the problem is.

Just one last thing to check - you haven't compiled the userspace iptables 
tool without also recompiling the kernelspace netfilter part, have you?

If you do one of these, you should also do the other to match.

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell 
more burgers than any other company, and I think the other similarities are 
obvious...

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Log Problem

[Eric Ellis]

Antony Stone wrote:

> On Monday 09 August 2004 5:40 pm, 'Me' wrote:
> 
> 
>> Hi,
>>I’m having problems logging packets (IPTables: 1.2.8 Kernel: 2.4.8) with
>>the following rule (from the  FAQ):
>>
>>iptables -N logdrop
>>iptables -A logdrop -j LOG
>>iptables -A logdrop -j DROP
>>
>>On the log line I get:
>>iptables: No chain/target/match by that name
>>
>>I’m a little lost – any pointers?
> 
> 
> It seems unlikely, but has your kernel been compiled without support for the 
> LOG target (and by the way, why are you using a three year old kernel 
> anyway?)?
> 
> Test one thing at a time:
> 
> 1. Can you use the LOG target?
> iptables -A INPUT -j LOG
> 
> 2. Can you put a rule into a user-defined chain?
> iptables -N logdrop
> iptables -A logdrop -j DROP
> 
> If both the above tests work, then there is no reason you shouldn't be able to 
> put a LOG target into your user-defined chain (so check very carefully the 
> syntac of what you are typing when you get the error, etc).
> 
> If one of the above tests fails, you know where the problem is.
> 
> Just one last thing to check - you haven't compiled the userspace iptables 
> tool without also recompiling the kernelspace netfilter part, have you?
> 
> If you do one of these, you should also do the other to match.
> 
> Regards,
> 
> Antony.
> 
IIRC, Debian ships with 2.4.8 on Current-Stable.  Could be wrong, tho.

-- 
Eric Ellis
Gilchrist County Sheriff's Department
IT Coordinator
eellis@mail.co.gilchrist.fl.us
352-463-3181

RE: Log Problem

[David Ashwood]

Thanks for responding Anthony,

1) Same problem as before ' iptables: No chain/target/match by that name'

2) User defined chains work - and I can put a drop rule without problems.

Kernel:
A new box just bought - I thought the kernel was old - but I had to demo a
product for a client - and wanted to get that done before I pester the VPS
hosts to upgrade the kernel.

I can see the libraries on the box for both logging and User Space Logging -
seeing if their being used is harder to establish.

I guess the kernel install didn't do a proper job of installing iptables.


David

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Monday, August 09, 2004 6:59 PM
To: netfilter@lists.netfilter.org
Subject: Re: Log Problem

On Monday 09 August 2004 5:40 pm, 'Me' wrote:

>  Hi,
> I'm having problems logging packets (IPTables: 1.2.8 Kernel: 2.4.8) with
> the following rule (from the  FAQ):
>
> iptables -N logdrop
> iptables -A logdrop -j LOG
> iptables -A logdrop -j DROP
>
> On the log line I get:
> iptables: No chain/target/match by that name
>
> I'm a little lost - any pointers?

It seems unlikely, but has your kernel been compiled without support for the

LOG target (and by the way, why are you using a three year old kernel 
anyway?)?

Test one thing at a time:

1. Can you use the LOG target?
iptables -A INPUT -j LOG

2. Can you put a rule into a user-defined chain?
iptables -N logdrop
iptables -A logdrop -j DROP

If both the above tests work, then there is no reason you shouldn't be able
to 
put a LOG target into your user-defined chain (so check very carefully the 
syntac of what you are typing when you get the error, etc).

If one of the above tests fails, you know where the problem is.

Just one last thing to check - you haven't compiled the userspace iptables 
tool without also recompiling the kernelspace netfilter part, have you?

If you do one of these, you should also do the other to match.

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell

more burgers than any other company, and I think the other similarities are 
obvious...

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Log Problem

[Antony Stone]

On Monday 09 August 2004 6:05 pm, Eric Ellis wrote:

> Antony Stone wrote:
> >
> > It seems unlikely, but has your kernel been compiled without support for
> > the LOG target (and by the way, why are you using a three year old kernel
> > anyway?)?

> IIRC, Debian ships with 2.4.8 on Current-Stable.  Could be wrong, tho.

I thought that was 2.4.18 (which is still 2.5 years old...)

I recommend an upgrade.   Whether that is the kernel or the distro I leave up 
to you :)    (No, not a flame war, please!)

Regards,

Antony.

-- 
Never automate fully anything that does not have a manual override capability. 
Never design anything that cannot work under degraded conditions in emergency.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Log Problem

[Antony Stone]

On Monday 09 August 2004 6:11 pm, David Ashwood wrote:

> Thanks for responding Antony,
>
> 1) Same problem as before ' iptables: No chain/target/match by that name'
>
> 2) User defined chains work - and I can put a drop rule without problems.
>
> Kernel:
> A new box just bought - I thought the kernel was old - but I had to demo a
> product for a client - and wanted to get that done before I pester the VPS
> hosts to upgrade the kernel.

VPS?

My recommendation is a kernel recompile (without changing the version for 
now).   Should take about 15 minutes.

Once you've done the demo and have time to think about things, get a current 
kernel, do a "make oldconfig", and build something up-to-date.

Hope this helps,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used 
a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Log Problem

[David Ashwood]

VPS
Virtual Private Server.

Kinda hard to upgrade  remote :)

I don't think it's something I can do remote! :)

David

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Monday, August 09, 2004 7:37 PM
To: netfilter@lists.netfilter.org
Subject: Re: Log Problem

On Monday 09 August 2004 6:11 pm, David Ashwood wrote:

> Thanks for responding Antony,
>
> 1) Same problem as before ' iptables: No chain/target/match by that name'
>
> 2) User defined chains work - and I can put a drop rule without problems.
>
> Kernel:
> A new box just bought - I thought the kernel was old - but I had to demo a
> product for a client - and wanted to get that done before I pester the VPS
> hosts to upgrade the kernel.

VPS?

My recommendation is a kernel recompile (without changing the version for 
now).   Should take about 15 minutes.

Once you've done the demo and have time to think about things, get a current

kernel, do a "make oldconfig", and build something up-to-date.

Hope this helps,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used

a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the
list;
                                                           please don't CC
me.