* The "badguy" example in the man page not working (--> "iptables: No chain/target/match by that name")
@ 2008-11-14 15:22 Adem
2008-11-14 16:00 ` Matt Zagrabelny
0 siblings, 1 reply; 6+ messages in thread
From: Adem @ 2008-11-14 15:22 UTC (permalink / raw)
To: netfilter
The following example from the man page doesn't work on my box:
iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
It says: "iptables: No chain/target/match by that name"
What could be the reason?
My ifconfig:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:382878 errors:0 dropped:0 overruns:0 frame:0
TX packets:382868 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3307823766 (3.0 GiB) TX bytes:78410937 (74.7 MiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:109018 errors:0 dropped:0 overruns:0 frame:0
TX packets:101974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:49437708 (47.1 MiB) TX bytes:49733010 (47.4 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:87.x.x.x P-t-P:87.x.x.x Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: The "badguy" example in the man page not working (--> "iptables: No chain/target/match by that name") 2008-11-14 15:22 The "badguy" example in the man page not working (--> "iptables: No chain/target/match by that name") Adem @ 2008-11-14 16:00 ` Matt Zagrabelny 2008-11-14 17:48 ` The "badguy" example in the man page not working (-->"iptables: " Adem 0 siblings, 1 reply; 6+ messages in thread From: Matt Zagrabelny @ 2008-11-14 16:00 UTC (permalink / raw) To: Adem; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 2159 bytes --] On Fri, 2008-11-14 at 16:22 +0100, Adem wrote: > The following example from the man page doesn't work on my box: > > iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP > iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP I see 'eth0' in your rule, but below there is no eth0. > > It says: "iptables: No chain/target/match by that name" > > What could be the reason? > > My ifconfig: > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:382878 errors:0 dropped:0 overruns:0 frame:0 > TX packets:382868 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3307823766 (3.0 GiB) TX bytes:78410937 (74.7 MiB) > > venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255 > UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 > RX packets:109018 errors:0 dropped:0 overruns:0 frame:0 > TX packets:101974 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:49437708 (47.1 MiB) TX bytes:49733010 (47.4 MiB) > > venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:87.x.x.x P-t-P:87.x.x.x Bcast:0.0.0.0 Mask:255.255.255.255 > UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 > > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: The "badguy" example in the man page not working (-->"iptables: No chain/target/match by that name") 2008-11-14 16:00 ` Matt Zagrabelny @ 2008-11-14 17:48 ` Adem 2008-11-14 20:15 ` Matt Zagrabelny 0 siblings, 1 reply; 6+ messages in thread From: Adem @ 2008-11-14 17:48 UTC (permalink / raw) To: netfilter "Matt Zagrabelny" wrote: > On Fri, 2008-11-14 at 16:22 +0100, Adem wrote: > > The following example from the man page doesn't work on my box: > > > > iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP > > iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP > > I see 'eth0' in your rule, but below there is no eth0. Oops. that was just a cut&paste error, I actually had changed it, tried everything, but w/o success. Any other ideas what it might be? BTW, it is a virtual private server (VPS) box, there is nothing under /boot. Here the version info: # uname -r 2.6.9-023stab048.4-smp # iptables --version iptables v1.3.6 And here the other rules iptables has accepted: # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset DROP 0 -- anywhere anywhere state INVALID ACCEPT 0 -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:8443 ACCEPT tcp -- anywhere anywhere tcp dpt:8880 ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps DROP tcp -- anywhere anywhere tcp dpt:poppassd DROP tcp -- anywhere anywhere tcp dpt:mysql DROP tcp -- anywhere anywhere tcp dpt:postgresql DROP tcp -- anywhere anywhere tcp dpt:9008 DROP tcp -- anywhere anywhere tcp dpt:9080 DROP udp -- anywhere anywhere udp dpt:netbios-ns DROP udp -- anywhere anywhere udp dpt:netbios-dgm DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds DROP udp -- anywhere anywhere udp dpt:openvpn ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT icmp -- anywhere anywhere icmp type 8 code 0 DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset DROP 0 -- anywhere anywhere state INVALID ACCEPT 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset DROP 0 -- anywhere anywhere state INVALID ACCEPT 0 -- anywhere anywhere ACCEPT 0 -- anywhere anywhere > > It says: "iptables: No chain/target/match by that name" > > > > What could be the reason? > > > > My ifconfig: > > > > lo Link encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > RX packets:382878 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:382868 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:0 > > RX bytes:3307823766 (3.0 GiB) TX bytes:78410937 (74.7 MiB) > > > > venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255 > > UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 > > RX packets:109018 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:101974 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:0 > > RX bytes:49437708 (47.1 MiB) TX bytes:49733010 (47.4 MiB) > > > > venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > inet addr:87.x.x.x P-t-P:87.x.x.x Bcast:0.0.0.0 Mask:255.255.255.255 > > UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: The "badguy" example in the man page not working (-->"iptables: No chain/target/match by that name") 2008-11-14 17:48 ` The "badguy" example in the man page not working (-->"iptables: " Adem @ 2008-11-14 20:15 ` Matt Zagrabelny 2008-11-14 20:21 ` Matt Zagrabelny 0 siblings, 1 reply; 6+ messages in thread From: Matt Zagrabelny @ 2008-11-14 20:15 UTC (permalink / raw) To: Adem; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 2001 bytes --] On Fri, 2008-11-14 at 18:48 +0100, Adem wrote: > "Matt Zagrabelny" wrote: > > On Fri, 2008-11-14 at 16:22 +0100, Adem wrote: > > > The following example from the man page doesn't work on my box: > > > > > > iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP > > > iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP > > > > I see 'eth0' in your rule, but below there is no eth0. > > Oops. that was just a cut&paste error, I actually had changed it, > tried everything, but w/o success. > Any other ideas what it might be? > > BTW, it is a virtual private server (VPS) box, there is nothing under /boot. > > Here the version info: > > # uname -r > 2.6.9-023stab048.4-smp > > # iptables --version > iptables v1.3.6 What GNU/Linux distro are you running? I am running Debian Sid and here are my versions: 2.6.26-1-686 iptables v1.4.1.1 Here are the iptables rules that I have: # if anybody from the list BADGUYS (and in the last 10 minutes) tries to do anything, drop them iptables -A INPUT --match recent --name BADGUYS --rcheck --seconds 600 -j DROP # if anybody tries to connect to tcp:139 (windows filesharing), then add them to the BADGUYS list and drop them iptables -A INPUT -p tcp -i eth0 --dport 21 --match recent --name BADGUYS --set -j DROP iptables -A INPUT -p udp -i eth0 --dport 21 --match recent --name BADGUYS --set -j DROP iptables -A INPUT -p tcp -i eth0 --dport 139 --match recent --name BADGUYS --set -j DROP iptables -A INPUT -p tcp -i eth0 --dport 445 --match recent --name BADGUYS --set -j DROP Looks pretty similar to yours. -- Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: The "badguy" example in the man page not working (-->"iptables: No chain/target/match by that name") 2008-11-14 20:15 ` Matt Zagrabelny @ 2008-11-14 20:21 ` Matt Zagrabelny 2008-11-16 23:28 ` The "badguy" example in the man page not working(-->"iptables: " Adem 0 siblings, 1 reply; 6+ messages in thread From: Matt Zagrabelny @ 2008-11-14 20:21 UTC (permalink / raw) To: Adem; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 1496 bytes --] On Fri, 2008-11-14 at 14:15 -0600, Matt Zagrabelny wrote: > On Fri, 2008-11-14 at 18:48 +0100, Adem wrote: > > "Matt Zagrabelny" wrote: > > > On Fri, 2008-11-14 at 16:22 +0100, Adem wrote: > > > > The following example from the man page doesn't work on my box: > > > > > > > > iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP > > > > iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP > > > > > > I see 'eth0' in your rule, but below there is no eth0. > > > > Oops. that was just a cut&paste error, I actually had changed it, > > tried everything, but w/o success. > > Any other ideas what it might be? > > > > BTW, it is a virtual private server (VPS) box, there is nothing under /boot. > > > > Here the version info: > > > > # uname -r > > 2.6.9-023stab048.4-smp > > > > # iptables --version > > iptables v1.3.6 > > What GNU/Linux distro are you running? > > I am running Debian Sid and here are my versions: > > 2.6.26-1-686 > iptables v1.4.1.1 Also you could check to see if you have the module: % lsmod | grep recent and % modinfo ipt_recent -- Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: The "badguy" example in the man page not working(-->"iptables: No chain/target/match by that name") 2008-11-14 20:21 ` Matt Zagrabelny @ 2008-11-16 23:28 ` Adem 0 siblings, 0 replies; 6+ messages in thread From: Adem @ 2008-11-16 23:28 UTC (permalink / raw) To: netfilter > > > iptables v1.3.6 > > > What GNU/Linux distro are you running? Debian 5 (Lenny) i386 > I am running Debian Sid and here are my versions: > > 2.6.26-1-686 > iptables v1.4.1.1 > > Also you could check to see if you have the module: > > % lsmod | grep recent > > and > > % modinfo ipt_recent The following command shows that the "ipt_recent" module is missing in my VPS. Unfortunately it seems it can only be enabled by the hosting provider: # cat /proc/net/ip_tables_matches length ttl tcpmss tos multiport limit state tcp udp icmp ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-11-16 23:28 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-11-14 15:22 The "badguy" example in the man page not working (--> "iptables: No chain/target/match by that name") Adem 2008-11-14 16:00 ` Matt Zagrabelny 2008-11-14 17:48 ` The "badguy" example in the man page not working (-->"iptables: " Adem 2008-11-14 20:15 ` Matt Zagrabelny 2008-11-14 20:21 ` Matt Zagrabelny 2008-11-16 23:28 ` The "badguy" example in the man page not working(-->"iptables: " Adem
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox