IPTables - Going Stateless

IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "       - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick

Re: IPTables - Going Stateless

[Nick Khamis]

Hello Neil, thank you so much for your response, For testing purposes
I changed the ssh rule to:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

And still no go. As mentioned before, everything works fine until I
try to close up the rest of the ports not opened up in the chains
"UDP" and "TCP" stated above:

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
-A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
-A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
-A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
-A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

That is when I cannot SSH over to the server.

N.

Re: IPTables - Going Stateless

[Michal Kubeček]

On Tuesday 21 of May 2013 11:07EN, Nick Khamis wrote:
> #echo -e "       - Accepting SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
> 
> #echo -e "       - Accepting input TCP and UDP traffic to open ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
> 
> #echo -e "       - Accepting output TCP and UDP traffic to open ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
> 
> #echo -e "       - Dropping input TCP and UDP traffic to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> #echo -e "       - Dropping output TCP and UDP traffic to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> Everything works fine with the REJECT rules commented out, but when
> included SSH access is blocked out. Not sure why, isn't the sequence
> correct (i.e., the ACCPET entries before the DROP and REJECT)?

You send only syn packets into TCP chain so if these are all rules you
have, every other TCP packet is rejected (both in INPUT and OUTPUT).

                                                        Michal Kubeèek

RE: IPTables - Going Stateless

[Paulsberg André]

Hello ,

Could you not turn on a logging statement before the REJECTS , then you migth see in the log what is being blocked ?

-A INPUT -i $INTIF1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "FW-DROP-TCP " --log-tcp-options --log-ip-options
-A INPUT -i $INTIF1 -p udp -m udp -j LOG --log-prefix "FW-DROP-UDP " --log-tcp-options --log-ip-options
-A INPUT -i $INTIF1 -p icmp -j LOG --log-prefix "FW-DROP-ICMP " --log-tcp-options --log-ip-options

-A OUTPUT -o $INTIF1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "FW-DROP-TCP " --log-tcp-options --log-ip-options
-A OUTPUT -o $INTIF1 -p udp -m udp -j LOG --log-prefix "FW-DROP-UDP " --log-tcp-options --log-ip-options
-A OUTPUT -o $INTIF1 -p icmp -j LOG --log-prefix "FW-DROP-ICMP " --log-tcp-options --log-ip-options

I would also check if some outgoing trafick is blocked like return packets from "--sport 22" ,
since they might come from "-i INTIF1" and not "-I LO" .
Might also be your SSH server needs dns / auth(ident) / icmp to work - but I guess logging will spot the trouble .


Best regards
André Paulsberg
Senior Network Engineer 
Core Network
Operation, Network, Nordic Operations
andre.paulsberg@evry.com
M +47 xxx yyyyy

Re: IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

Thank you so much for your help. We have migrated to bare stateless
with modest performance gain to our front router (2 full bgp links).
At first glance we see a minimum of 3% of leaked bandwith getting put
back into use. For us that means 3000 kilobytes per link. This is
during bellow average traffic hours, I suspect more during peak.

Since I took bits an pieces from the different posts, I only find it
fair to post snippets of the config file that might help some future
poor souls. Nothing interesting for a lot of you here:

#Set interface values
INTIF1='eth0'

# Set Log Limit
LOGLIMIT="2/s"
LOGLIMITBURST="10"

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Dropping Forward Requests"
$IPTABLES -P FORWARD DROP

#echo -e "       - Dropping Input Requests"
$IPTABLES -P INPUT ACCEPT

#echo -e "       - Dropping output requests"
$IPTABLES -P OUTPUT ACCEPT

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N ICMP
$IPTABLES -N TCP
$IPTABLES -N UDP
$IPTABLES -N LOGINPUT
$IPTABLES -N LOGOUTPUT

#echo -e "       - Accepting incomming ICMP pings"
$IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.0/24 -d 10.10.1.10
--icmp-type 8 -j ACCEPT
$IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.10 --icmp-type 0 -j ACCEPT

#echo -e "       - Accepting outgoing ICMP pings"
$IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.10 -d 10.10.1.0/24
--icmp-type 8 -j ACCEPT
$IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.0/24 --icmp-type 0 -j ACCEPT

#echo -e "       - Accepting incomming SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.0/24 -d 10.10.1.10 --dport
22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 10.10.1.10 --dport 22 -j DROP

#echo -e "       - Accepting outgoing SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.10 --sport 22 -d
10.10.1.0/24 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.10 --sport 22 -d 0.0.0.0/0 -j DROP

#echo -e "       - Accepting input ICMP, TCP, and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p icmp -j ICMP
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output ICMP, TCP, and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p icmp -j ICMP
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Logging Dropped Input Traffic"
$IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -j LOG --log-prefix "ICMP
LOGINPUTDROP: " --log-tcp-options --log-ip-options
$IPTABLES -A LOGINPUT -i $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK
SYN -j LOG --log-prefix "TCP LOGINPUTDROP:: " --log-tcp-options
--log-ip-options
$IPTABLES -A LOGINPUT -i $INTIF1 -p udp  -j LOG --log-prefix "UDP
LOGINPUTDROP: " --log-tcp-options --log-ip-options
$IPTABLES -A LOGINPUT -i $INTIF1 -f      -j LOG --log-prefix "FRAGMENT
LOGINPUTDROP: " --log-tcp-options --log-ip-options

$IPTABLES -A LOGINPUT -j DROP
$IPTABLES -A INPUT -p icmp -i $INTIF1 -j LOGINPUT
$IPTABLES -A INPUT -p tcp  -i $INTIF1 -j LOGINPUT
$IPTABLES -A INPUT -p udp  -i $INTIF1 -j LOGINPUT

#echo -e "       - Logging Dropped Output Traffic"
$IPTABLES -A LOGOUTPUT -o $INTIF1 -p icmp -j LOG --log-prefix "ICMP
LOGOUTPUTDROP: " --log-tcp-options --log-ip-options
$IPTABLES -A LOGOUTPUT -o $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK
SYN -j LOG --log-prefix "TCP LOGOUTPUTDROP: " --log-tcp-options
--log-ip-options
$IPTABLES -A LOGOUTPUT -o $INTIF1 -p udp  -j LOG --log-prefix "UDP
LOGOUTPUTDROP: " --log-tcp-options --log-ip-options
$IPTABLES -A LOGOUTPUT -o $INTIF1 -f      -j LOG --log-prefix
"FRAGMENT LOGOUTPUTDROP: " --log-tcp-options --log-ip-options

$IPTABLES -A LOGOUTPUT -j DROP
$IPTABLES -A OUTPUT -p icmp -o $INTIF1 -j LOGOUTPUT
$IPTABLES -A OUTPUT -p tcp  -o $INTIF1 -j LOGOUTPUT
$IPTABLES -A OUTPUT -p udp  -o $INTIF1 -j LOGOUTPUT

#echo -e "       - Rejecting input TCP and UDP traffic to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
$IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Rejecting output TCP and UDP traffic to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Rejecting input traffic to remaining protocols sent
to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Rejecting output traffic to remaining protocols
sent to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

Moving forward I am looking to add some DDOS measures in place,
starting with logs. I will post my problem in a separate email.

Kind Regards,

Nick.

Re: IPTables - Going Stateless

[Nick Khamis]

Moving forward I would like to put some measures in place to thwart
some DOS attacks at bay. The obvious place to start is with the
logs.No need to log everything that gets dropped, the first 3-5
packets should be fine. I tried adding the following to the config:

# Set Log Limit
LOGLIMIT="2/s"
LOGLIMITBURST="10"

$IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -j LOG --log-prefix "ICMP
LOGINPUTDROP: " --log-tcp-options --log-ip-options -m limit --limit
$LOGLIMIT

I am getting the following error: iptables: No chain/target/match by that name
And it's due to the "limit" flag.

lsmod
Module                  Size  Used by
xt_LOG                  6531  7
ipt_REJECT              1917  6
iptable_filter           988  1
ip_tables               8370  1 iptable_filter
e100                   28046  0

uname -r
3.5.7-gentoo

Kind Regards,

Nick.

On 5/22/13, Nick Khamis <symack@gmail.com> wrote:
> Hello Everyone,
>
> Thank you so much for your help. We have migrated to bare stateless
> with modest performance gain to our front router (2 full bgp links).
> At first glance we see a minimum of 3% of leaked bandwith getting put
> back into use. For us that means 3000 kilobytes per link. This is
> during bellow average traffic hours, I suspect more during peak.
>
> Since I took bits an pieces from the different posts, I only find it
> fair to post snippets of the config file that might help some future
> poor souls. Nothing interesting for a lot of you here:
>
> #Set interface values
> INTIF1='eth0'
>
> # Set Log Limit
> LOGLIMIT="2/s"
> LOGLIMITBURST="10"
>
> #flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
>
> #echo -e "       - Dropping Forward Requests"
> $IPTABLES -P FORWARD DROP
>
> #echo -e "       - Dropping Input Requests"
> $IPTABLES -P INPUT ACCEPT
>
> #echo -e "       - Dropping output requests"
> $IPTABLES -P OUTPUT ACCEPT
>
> #echo -e "       - Accepting input lo traffic"
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> #echo -e "       - Accepting output lo traffic"
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> #echo -e "       - Defined Chains"
> $IPTABLES -N ICMP
> $IPTABLES -N TCP
> $IPTABLES -N UDP
> $IPTABLES -N LOGINPUT
> $IPTABLES -N LOGOUTPUT
>
> #echo -e "       - Accepting incomming ICMP pings"
> $IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.0/24 -d 10.10.1.10
> --icmp-type 8 -j ACCEPT
> $IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.10 --icmp-type 0 -j ACCEPT
>
> #echo -e "       - Accepting outgoing ICMP pings"
> $IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.10 -d 10.10.1.0/24
> --icmp-type 8 -j ACCEPT
> $IPTABLES -A ICMP -p icmp -m icmp -s 10.10.1.0/24 --icmp-type 0 -j ACCEPT
>
> #echo -e "       - Accepting incomming SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.0/24 -d 10.10.1.10 --dport
> 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 10.10.1.10 --dport 22 -j
> DROP
>
> #echo -e "       - Accepting outgoing SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.10 --sport 22 -d
> 10.10.1.0/24 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 10.10.1.10 --sport 22 -d 0.0.0.0/0 -j
> DROP
>
> #echo -e "       - Accepting input ICMP, TCP, and UDP traffic to open
> ports"
> $IPTABLES -A INPUT -i $INTIF1 -p icmp -j ICMP
> $IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
>
> #echo -e "       - Accepting output ICMP, TCP, and UDP traffic to open
> ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p icmp -j ICMP
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
>
> #echo -e "       - Logging Dropped Input Traffic"
> $IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -j LOG --log-prefix "ICMP
> LOGINPUTDROP: " --log-tcp-options --log-ip-options
> $IPTABLES -A LOGINPUT -i $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "TCP LOGINPUTDROP:: " --log-tcp-options
> --log-ip-options
> $IPTABLES -A LOGINPUT -i $INTIF1 -p udp  -j LOG --log-prefix "UDP
> LOGINPUTDROP: " --log-tcp-options --log-ip-options
> $IPTABLES -A LOGINPUT -i $INTIF1 -f      -j LOG --log-prefix "FRAGMENT
> LOGINPUTDROP: " --log-tcp-options --log-ip-options
>
> $IPTABLES -A LOGINPUT -j DROP
> $IPTABLES -A INPUT -p icmp -i $INTIF1 -j LOGINPUT
> $IPTABLES -A INPUT -p tcp  -i $INTIF1 -j LOGINPUT
> $IPTABLES -A INPUT -p udp  -i $INTIF1 -j LOGINPUT
>
> #echo -e "       - Logging Dropped Output Traffic"
> $IPTABLES -A LOGOUTPUT -o $INTIF1 -p icmp -j LOG --log-prefix "ICMP
> LOGOUTPUTDROP: " --log-tcp-options --log-ip-options
> $IPTABLES -A LOGOUTPUT -o $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "TCP LOGOUTPUTDROP: " --log-tcp-options
> --log-ip-options
> $IPTABLES -A LOGOUTPUT -o $INTIF1 -p udp  -j LOG --log-prefix "UDP
> LOGOUTPUTDROP: " --log-tcp-options --log-ip-options
> $IPTABLES -A LOGOUTPUT -o $INTIF1 -f      -j LOG --log-prefix
> "FRAGMENT LOGOUTPUTDROP: " --log-tcp-options --log-ip-options
>
> $IPTABLES -A LOGOUTPUT -j DROP
> $IPTABLES -A OUTPUT -p icmp -o $INTIF1 -j LOGOUTPUT
> $IPTABLES -A OUTPUT -p tcp  -o $INTIF1 -j LOGOUTPUT
> $IPTABLES -A OUTPUT -p udp  -o $INTIF1 -j LOGOUTPUT
>
> #echo -e "       - Rejecting input TCP and UDP traffic to closed ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
>
> #echo -e "       - Rejecting output TCP and UDP traffic to closed ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
>
> #echo -e "       - Rejecting input traffic to remaining protocols sent
> to closed ports"
> $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with
> icmp-proto-unreachable
>
> #echo -e "       - Rejecting output traffic to remaining protocols
> sent to closed ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with
> icmp-proto-unreachable
>
> Moving forward I am looking to add some DDOS measures in place,
> starting with logs. I will post my problem in a separate email.
>
> Kind Regards,
>
> Nick.
>

Re: IPTables - Going Stateless

[Pascal Hambourg]

Nick Khamis a écrit :
> 
> # Set Log Limit
> LOGLIMIT="2/s"
> LOGLIMITBURST="10"
> 
> $IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -j LOG --log-prefix "ICMP
> LOGINPUTDROP: " --log-tcp-options --log-ip-options -m limit --limit
> $LOGLIMIT
> 
> I am getting the following error: iptables: No chain/target/match by that name
> And it's due to the "limit" flag.
> 
> lsmod
> Module                  Size  Used by
> xt_LOG                  6531  7
> ipt_REJECT              1917  6
> iptable_filter           988  1
> ip_tables               8370  1 iptable_filter
> e100                   28046  0

Looks like the "limit" match is not enabled in your kernel. Check
CONFIG_NETFILTER_XT_MATCH_LIMIT in your kernel config file.

Re: IPTables - Going Stateless

[Nick Khamis]

Thank you so much Pascal!!! It took me a while to find it, but for
future googlers

"limit" match support = CONFIG_NETFILTER_XT_MATCH_LIMIT

Make sure limit match support is included as a module.

Kind Regards,

Nick


On 5/25/13, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Nick Khamis a écrit :
>>
>> # Set Log Limit
>> LOGLIMIT="2/s"
>> LOGLIMITBURST="10"
>>
>> $IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -j LOG --log-prefix "ICMP
>> LOGINPUTDROP: " --log-tcp-options --log-ip-options -m limit --limit
>> $LOGLIMIT
>>
>> I am getting the following error: iptables: No chain/target/match by that
>> name
>> And it's due to the "limit" flag.
>>
>> lsmod
>> Module                  Size  Used by
>> xt_LOG                  6531  7
>> ipt_REJECT              1917  6
>> iptable_filter           988  1
>> ip_tables               8370  1 iptable_filter
>> e100                   28046  0
>
> Looks like the "limit" match is not enabled in your kernel. Check
> CONFIG_NETFILTER_XT_MATCH_LIMIT in your kernel config file.
>