Hi, I''ve been receiving the following error for weeks or months now:
iptables: No chain/target/match by that name.
I know this is a common thing and that it usually means that something
is missing from your kernel config. I''m a Gentoo user and I''m
well
accustomed to kernel config, and have read the docs explaining which
settings are needed. I *think* it''s all in there.
This is just a simple f/w setup running on a single machine with a
single network i/f active at a time.
Bottom line: I have no idea whether this is really causing a problem or
not. Firewall seems to be working, but I worry that it''s really not,
and
I''m vulnerable. In typical intelligent human fashion, I''ve
waited months
to get around to seriously addressing it :-\
Without further ado, here''s the evidence I offer. Note that the error
comes at the beginning of the startup process, right after "Loading
modules..." This is how it''s been each time I''ve checked.
Thanks in advance for the help.
Dave
Shorewall version: 4.5.11.2
==== Output of ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN qlen 1000
link/ether 00:1d:e0:8c:2a:e3 brd ff:ff:ff:ff:ff:ff
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:1d:72:8c:87:29 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.78/24 brd 255.255.255.255 scope global enp0s25
==== Output of ip route show
default via 192.168.200.1 dev enp0s25 metric 203
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.200.0/24 dev enp0s25 proto kernel scope link src
192.168.200.78 metric 203
==== Output of shorewall debug -vvvv restart
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
iptables: No chain/target/match by that name. <===HERE!
Shorewall has detected the following capabilities:
ACCOUNT Target: Not Available
AUDIT Target: Not Available
Address Type Match: Available
Amanda Helper: Not Available
Basic Filter: Available
CLASSIFY Target: Not Available
CONNMARK Target: Not Available
CT Target: Not Available
Capability Version: 4.5.9
Checksum Target: Not Available
Comments: Not Available
Condition Match: Not Available
Connection Tracking Match: Available
Connlimit Match: Not Available
Connmark Match: Not Available
DSCP Match: Not Available
DSCP Target: Not Available
Extended CONNMARK Target: Not Available
Extended Connection Tracking Match: Available
Extended Connmark Match: Not Available
Extended Mark Target: Not Available
Extended Mark Target 2: Not Available
Extended Multi-port Match: Available
Extended Reject: Available
FTP Helper: Not Available
FTP-0 Helper: Not Available
Flow Classifier: Available
GeoIP Match: Not Available
Goto Support: Available
H323 Helpers: Not Available
Hashlimit Match: Not Available
Header Match: Not Available
Helper Match: Not Available
IMQ Target: Not Available
IP Range Match: Not Available
IPMARK Target: Not Available
IPP2P Match: Not Available
IRC Helper: Not Available
IRC-0 Helper: Not Available
Ipset Match: Not Available
Kernel Version: 3.7.10
LOG Target: Available
LOGMARK Target: Not Available
Log Options: Available
MARK Target: Not Available
Mangle FORWARD Chain: Not Available
Mark in any table: Available
Multi-port Match: Available
NAT: Not Available
NFAcct Match: Not Available
NFLOG Target: Not Available
NFQUEUE Target: Not Available
Netbios-ns Helper: Not Available
Old Hash Limit Match: Not Available
Old IPP2P Match Syntax: Not Available
Old Ipset Match: Not Available
Old conntrack match syntax: Not Available
Owner Match: Not Available
Owner Name Match: Not Available
PPTP Helper: Not Available
Packet Mangling: Not Available
Packet Type Match: Available
Packet length Match: Not Available
Persistent SNAT: Not Available
Physdev Match: Not Available
Physdev-is-bridged support: Not Available
Policy Match: Not Available
RPFilter Match: Not Available
Raw Table: Not Available
Rawpost Table: Not Available
Realm Match: Not Available
Recent Match: Not Available
Repeat match: Available
SANE Helper: Not Available
SANE-0 Helper: Not Available
SIP Helper: Not Available
SIP-0 Helper: Not Available
SNMP Helper: Not Available
Statistics Match: Not Available
TCPMSS Match: Not Available
TFTP Helper: Not Available
TFTP-0 Helper: Not Available
TPROXY Target: Not Available
Time Match: Not Available
ULOG Target: Not Available
Version 5 ipsets: Not Available
fwmark route mask: Available
iptables -S: Available
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Interface "net enp0s25 dhcp" Validated
Interface "net wlp3s0 dhcp" Validated
Determining Hosts in Zones...
fw (firewall)
net (ipv4)
enp0s25:0.0.0.0/0
wlp3s0:0.0.0.0/0
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "PARAM - - tcp 113" Compiled
..End Macro /usr/share/shorewall/macro.Auth
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" Compiled
Rule "PARAM - - icmp time-exceeded" Compiled
..End Macro /usr/share/shorewall/macro.AllowICMPs
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" Compiled
Rule " PARAM - - udp 137:139" Compiled
Rule "PARAM - - udp 1024: 137" Compiled
Rule "PARAM - - tcp 135,139,445" Compiled
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" Compiled
..End Macro /usr/share/shorewall/macro.DropUPnP
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" Compiled
..End Macro /usr/share/shorewall/macro.DropDNSrep
Compiling /usr/share/shorewall/action.Reject for chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "PARAM - - tcp 113" Compiled
..End Macro /usr/share/shorewall/macro.Auth
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" Compiled
Rule "PARAM - - icmp time-exceeded" Compiled
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" Compiled
Rule " PARAM - - udp 137:139" Compiled
Rule "PARAM - - udp 1024: 137" Compiled
Rule "PARAM - - tcp 135,139,445" Compiled
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" Compiled
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" Compiled
..End Macro /usr/share/shorewall/macro.DropDNSrep
Compiling /etc/shorewall/policy...
Policy for fw to net is ACCEPT using chain fw2net
Policy for net to fw is DROP using chain net2all
Policy for fw to net is REJECT using chain all2all
Policy for net to fw is REJECT using chain all2all
Running /etc/shorewall/initdone...
Adding rules for DHCP
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Chain enp0s25_iop deleted
Chain enp0s25_fop deleted
Chain enp0s25_oop deleted
Chain wlp3s0_iop deleted
Chain wlp3s0_fop deleted
Chain wlp3s0_oop deleted
Compiling /etc/shorewall/rules...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Policy ACCEPT from fw to net using chain fw2net
Policy DROP from net to fw using chain net2fw
Generating Rule Matrix...
Handling complex zones...
Entering main matrix-generation loop...
Chain enp0s25_out deleted
Chain wlp3s0_out deleted
Finishing matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Disabling Kernel Automatic Helper Association
Preparing iptables-restore input...
Running debug_restore_input...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
=== Output of shorewall dump
Shorewall 4.5.11.2 Dump at linux8 - Sun Jun 23 00:28:33 HST 2013
Shorewall is running
State:Started (Sun Jun 23 00:10:24 HST 2013) from /etc/shorewall/
Counters reset Sun Jun 23 00:10:24 HST 2013
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2382 1545K enp0s25_in all -- enp0s25 * 0.0.0.0/0
0.0.0.0/0
0 0 wlp3s0_in all -- wlp3s0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 enp0s25_fwd all -- enp0s25 * 0.0.0.0/0
0.0.0.0/0
0 0 wlp3s0_fwd all -- wlp3s0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2137 909K fw2net all -- * enp0s25 0.0.0.0/0
0.0.0.0/0
0 0 fw2net all -- * wlp3s0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:OUTPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
Chain Broadcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
3 120 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
3 120 Broadcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11
3 120 Invalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 NotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain Invalid (2 references)
pkts bytes target prot opt in out source
destination
3 120 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
Chain NotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
Chain Reject (3 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 Broadcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11
0 0 Invalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 NotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain enp0s25_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 sfilter all -- * enp0s25 0.0.0.0/0
0.0.0.0/0 [goto]
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 net_frwd all -- * * 0.0.0.0/0
0.0.0.0/0
Chain enp0s25_in (1 references)
pkts bytes target prot opt in out source
destination
4 1580 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
1 1460 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
2381 1544K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (2 references)
pkts bytes target prot opt in out source
destination
1 353 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
1938 897K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
198 12375 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (2 references)
pkts bytes target prot opt in out source
destination
2378 1544K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 120 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:net2fw:DROP:"
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net_frwd (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * enp0s25 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * wlp3s0 0.0.0.0/0
0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain sfilter (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:sfilter:DROP:"
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain wlp3s0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 sfilter all -- * wlp3s0 0.0.0.0/0
0.0.0.0/0 [goto]
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 net_frwd all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wlp3s0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Log (/var/log/messages)
Jun 17 15:46:22 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=37.220.19.98
DST=128.171.7.25 LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=0
DF PROTO=UDP SPT=42772 DPT=53 LEN=52
Jun 17 16:00:36 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=128.171.7.38
DST=128.171.7.25 LEN=73 TOS=0x00 PREC=0x00 TTL=128
ID=15976 PROTO=UDP SPT=57203 DPT=161 LEN=53
Jun 17 16:00:38 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=128.171.7.38
DST=128.171.7.25 LEN=73 TOS=0x00 PREC=0x00 TTL=128
ID=15981 DF PROTO=UDP SPT=57203 DPT=161 LEN=53
Jun 17 16:07:18 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=37.220.19.98
DST=128.171.7.25 LEN=72 TOS=0x00 PREC=0x00 TTL=48 ID=0
DF PROTO=UDP SPT=43351 DPT=53 LEN=52
Jun 18 17:15:34 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=89.248.172.173
DST=128.171.7.25 LEN=72 TOS=0x00 PREC=0x00 TTL=52
ID=0 DF PROTO=UDP SPT=37198 DPT=53 LEN=52
Jun 18 17:23:49 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=89.248.168.178
DST=128.171.7.25 LEN=72 TOS=0x00 PREC=0x00 TTL=52
ID=0 DF PROTO=UDP SPT=57982 DPT=53 LEN=52
Jun 20 10:44:22 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=89.248.171.71
DST=128.171.7.25 LEN=29 TOS=0x00 PREC=0x00 TTL=52 ID=0
DF PROTO=UDP SPT=57574 DPT=19 LEN=9
Jun 20 15:59:58 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=128.171.7.38
DST=128.171.7.25 LEN=73 TOS=0x00 PREC=0x00 TTL=128
ID=3292 PROTO=UDP SPT=56052 DPT=161 LEN=53
Jun 20 16:00:00 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=128.171.7.38
DST=128.171.7.25 LEN=73 TOS=0x00 PREC=0x00 TTL=128
ID=3304 DF PROTO=UDP SPT=56052 DPT=161 LEN=53
Jun 20 16:58:10 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=85.214.251.10
DST=128.171.7.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114
ID=36586 PROTO=TCP SPT=34921 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 21 18:31:41 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=50.63.55.200
DST=128.171.7.25 LEN=66 TOS=0x00 PREC=0x00 TTL=48
ID=13497 PROTO=UDP SPT=24208 DPT=53 LEN=46
Jun 21 18:31:41 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=50.63.55.200
DST=128.171.7.25 LEN=66 TOS=0x00 PREC=0x00 TTL=49
ID=13497 PROTO=UDP SPT=24208 DPT=53 LEN=46
Jun 21 18:40:38 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=59.42.106.242
DST=128.171.7.25 LEN=48 TOS=0x00 PREC=0x00 TTL=113
ID=7778 DF PROTO=TCP SPT=11880 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
Jun 21 19:01:50 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=218.27.207.249
DST=128.171.7.25 LEN=77 TOS=0x00 PREC=0x00 TTL=115
ID=15909 PROTO=UDP SPT=31875 DPT=53 LEN=57
Jun 21 19:35:54 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=213.186.60.63
DST=128.171.7.25 LEN=48 TOS=0x00 PREC=0x00 TTL=115
ID=18972 PROTO=TCP SPT=38127 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 21 19:57:34 localhost Shorewall:net2fw:DROP:IN=enp0s25
OUTSRC=177.133.168.145 DST=128.171.7.25 LEN=28 TOS=0x00 PREC=0x00 TTL=109
ID=27673 PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=27070
Jun 21 20:09:31 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=188.138.109.53
DST=128.171.7.25 LEN=78 TOS=0x00 PREC=0x00 TTL=41
ID=0 DF PROTO=UDP SPT=46984 DPT=53 LEN=58
Jun 21 20:20:05 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=141.212.121.72
DST=128.171.7.25 LEN=40 TOS=0x00 PREC=0x00 TTL=242
ID=0 PROTO=TCP SPT=38153 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 21 20:35:49 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=218.17.156.198
DST=128.171.7.25 LEN=44 TOS=0x00 PREC=0x00 TTL=106
ID=256 PROTO=TCP SPT=6000 DPT=8009 WINDOW=16384 RES=0x00 SYN URGP=0
Jun 21 21:01:41 localhost Shorewall:net2fw:DROP:IN=enp0s25 OUTSRC=142.0.37.93
DST=128.171.7.25 LEN=435 TOS=0x00 PREC=0x00 TTL=40 ID=0
DF PROTO=UDP SPT=5077 DPT=5060 LEN=415
Conntrack Table (16 out of 65536)
grep: /proc/net/nf_conntrack: No such file or directory
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
inet 192.168.200.78/24 brd 255.255.255.255 scope global enp0s25
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
1100 22 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1100 22 0 0 0 0
2: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state
DOWN mode DEFAULT qlen 1000
link/ether 00:1d:e0:8c:2a:e3 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT qlen 1000
link/ether 00:1d:72:8c:87:29 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
190425111 165922 0 0 0 0
TX: bytes packets errors dropped carrier collsns
12899118 104365 0 0 0 0
RTNETLINK answers: Operation not supported
Dump terminated
Routing Table
Command line is not complete. Try option "help"
Per-IP Counters
iptaccount is not installed
NF Accounting
No NF Accounting defined (nfacct not found)
/proc
/proc/version = Linux version 3.7.10-gentoo (root@linux8) (gcc
version 4.5.4 (Gentoo 4.5.4 p1.0, pie-0.4.7) ) #4 SMP Mon Jun 10
15:55:58 HST 2013
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/enp0s25/proxy_arp = 0
/proc/sys/net/ipv4/conf/enp0s25/arp_filter = 0
/proc/sys/net/ipv4/conf/enp0s25/arp_ignore = 0
/proc/sys/net/ipv4/conf/enp0s25/rp_filter = 0
/proc/sys/net/ipv4/conf/enp0s25/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/wlp3s0/proxy_arp = 0
/proc/sys/net/ipv4/conf/wlp3s0/arp_filter = 0
/proc/sys/net/ipv4/conf/wlp3s0/arp_ignore = 0
/proc/sys/net/ipv4/conf/wlp3s0/rp_filter = 0
/proc/sys/net/ipv4/conf/wlp3s0/log_martians = 1
ARP
? (192.168.200.1) at 00:26:41:aa:a3:c0 [ether] on enp0s25
Modules
ip_tables 8661 1 iptable_filter
ipt_REJECT 1862 4
iptable_filter 965 1
nf_conntrack 38156 3 xt_state,xt_conntrack,nf_conntrack_ipv4
nf_conntrack_ipv4 4979 7
nf_defrag_ipv4 856 1 nf_conntrack_ipv4
xt_LOG 6661 5
xt_addrtype 1462 4
xt_conntrack 2582 7
xt_limit 1288 0
xt_mac 704 0
xt_mark 762 0
xt_multiport 1427 4
xt_pkttype 712 0
xt_state 836 0
xt_tcpudp 1812 14
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
AUDIT Target (AUDIT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Not available
Basic Filter (BASIC_FILTER): Available
CLASSIFY Target (CLASSIFY_TARGET): Not available
CONNMARK Target (CONNMARK): Not available
CT Target (CT_TARGET): Not available
Capabilities Version (CAPVERSION): 40509
Checksum Target: Not available
Comments (COMMENTS): Not available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Not available
Connmark Match (CONNMARK_MATCH): Not available
DSCP Match (DSCP_MATCH): Not available
DSCP Target (DSCP_TARGET): Not available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH):
Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP Helper: Not available
FTP-0 Helper: Not available
Geo IP match: Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Not available
Hashlimit Match (HASHLIMIT_MATCH): Not available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IP range Match(IPRANGE_MATCH): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IRC Helper: Not available
IRC-0 Helper: Not available
Kernel Version (KERNELVERSION): 30710
LOG Target (LOG_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Not available
MARK Target (MARK): Not available
Mangle FORWARD Chain (MANGLE_FORWARD): Not available
Mark in any table (MARK_ANYWHERE): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Not available
NFAcct match: Not available
NFLOG Target (NFLOG_TARGET): Not available
NFQUEUE Target (NFQUEUE_TARGET): Not available
Netbios_ns Helper: Not available
Owner Match (OWNER_MATCH): Not available
Owner Name Match (OWNER_NAME_MATCH): Not available
PPTP Helper: Not available
Packet Mangling (MANGLE_ENABLED): Not available
Packet Type Match (USEPKTTYPE): Available
Packet length Match (LENGTH_MATCH): Not available
Persistent SNAT (PERSISTENT_SNAT): Not available
Physdev Match (PHYSDEV_MATCH): Not available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Not available
Policy Match (POLICY_MATCH): Not available
RPFilter match: Not available
Raw Table (RAW_TABLE): Not available
Rawpost Table (RAWPOST_TABLE): Not available
Realm Match (REALM_MATCH): Not available
Recent Match (RECENT_MATCH): Not available
Repeat match (KLUDGEFREE): Not available
SANE Helper: Not available
SANE-0 Helper: Not available
SIP Helper: Not available
SIP-0 Helper: Not available
SNMP Helper: Not available
Statistic Match (STATISTIC_MATCH): Not available
TCPMSS Match (TCPMSS_MATCH): Not available
TFTP Helper: Not available
TFTP-0 Helper: Not available
TPROXY Target (TPROXY_TARGET): Not available
Time Match (TIME_MATCH): Not available
ULOG Target (ULOG_TARGET): Not available
fwmark route mask (FWMARK_RT_MASK): Available
ipset V5 (IPSET_V5): Not available
iptables -S (IPTABLES_S): Available
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 2330/sshd
tcp 0 1 192.168.200.78:52487 74.201.105.31:443
LAST_ACK -
tcp 0 0 192.168.200.78:39758 74.125.141.95:443
ESTABLISHED 6480/firefox
tcp 0 0 192.168.200.78:40245 54.230.146.136:80
TIME_WAIT -
tcp 0 0 192.168.200.78:53578 74.125.224.219:80
TIME_WAIT -
tcp 0 0 192.168.200.78:53555 74.125.224.219:80
TIME_WAIT -
tcp 0 0 192.168.200.78:39298 66.111.4.56:443
ESTABLISHED 6480/firefox
tcp 0 0 192.168.200.78:55434 199.7.54.72:80
TIME_WAIT -
tcp 0 0 192.168.200.78:56175 72.235.63.19:80
TIME_WAIT -
tcp 0 0 192.168.200.78:49326 74.125.224.222:443
ESTABLISHED 6480/firefox
tcp 0 0 192.168.200.78:60157 74.125.224.211:443
ESTABLISHED 6480/firefox
tcp 0 0 192.168.200.78:56176 72.235.63.19:80
TIME_WAIT -
tcp 0 0 192.168.200.78:40246 54.230.146.136:80
TIME_WAIT -
tcp 0 0 192.168.200.78:40244 54.230.146.136:80
TIME_WAIT -
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
On Jun 23, 2013, at 3:36 AM, David Iannucci <fuberjnyyhfrefzy@punchcutter.ml1.net> wrote:> Hi, I''ve been receiving the following error for weeks or months now: > > iptables: No chain/target/match by that name. > > I know this is a common thing and that it usually means that something > is missing from your kernel config. I''m a Gentoo user and I''m well > accustomed to kernel config, and have read the docs explaining which > settings are needed. I *think* it''s all in there. > > This is just a simple f/w setup running on a single machine with a > single network i/f active at a time. > > Bottom line: I have no idea whether this is really causing a problem or > not. Firewall seems to be working, but I worry that it''s really not, and > I''m vulnerable. In typical intelligent human fashion, I''ve waited months > to get around to seriously addressing it :-\ > > Without further ado, here''s the evidence I offer. Note that the error > comes at the beginning of the startup process, right after "Loading > modules..." This is how it''s been each time I''ve checked.More importantly, it is appearing right before the capabilities are reported. That leads me to believe that it is being generated during capability detection. ''shorewall trace check'' might give enough information to see what iptables command is generating the message. But given where it is being generated, I would not be concerned that it is causing any type of vulnerability. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Sun, Jun 23, 2013, at 3:20, Tom Eastep wrote:> On Jun 23, 2013, at 3:36 AM, David Iannucci wrote: > > > Hi, I''ve been receiving the following error for weeks or months now: > > > > iptables: No chain/target/match by that name. > > > > I know this is a common thing and that it usually means that > > something is missing from your kernel config. [........] > > More importantly, it is appearing right before the capabilities are > reported. That leads me to believe that it is being generated during > capability detection. > > ''shorewall trace check'' might give enough information to see what > iptables command is generating the message. But given where it is > being generated, I would not be concerned that it is causing any type > of vulnerability. > > -TomThanks for the quick response. Here''s a clipping from what shorewall trace check said, starting from Loading Modules. I note there are quite a few examples of the error in question here... no idea which one is the lone one that is printed normally. The whole output of the command overran my terminal scroll buffer, but rather than change that, I''ve attached the entire output to this mail; apologies if that''s a no-no on this list - or maybe Mailman''ll strip it :-} Dave Loading Modules... IN===> loadmodule nfnetlink IN===> loadmodule x_tables IN===> loadmodule ip_tables IN===> loadmodule iptable_filter IN===> loadmodule iptable_mangle IN===> loadmodule ip_conntrack IN===> loadmodule nf_conntrack IN===> loadmodule nf_conntrack_ipv4 IN===> loadmodule iptable_nat IN===> loadmodule iptable_raw IN===> loadmodule xt_state IN===> loadmodule xt_tcpudp IN===> loadmodule ipt_LOG IN===> loadmodule xt_AUDIT IN===> loadmodule xt_CLASSIFY IN===> loadmodule xt_connmark IN===> loadmodule xt_CONNMARK IN===> loadmodule xt_conntrack IN===> loadmodule xt_dccp IN===> loadmodule xt_dscp IN===> loadmodule xt_DSCP IN===> loadmodule xt_hashlimit IN===> loadmodule xt_helper IN===> loadmodule xt_ipp2p IN===> loadmodule xt_iprange IN===> loadmodule xt_length IN===> loadmodule xt_limit IN===> loadmodule xt_mac IN===> loadmodule xt_mark IN===> loadmodule xt_MARK IN===> loadmodule xt_multiport IN===> loadmodule xt_NFLOG IN===> loadmodule xt_NFQUEUE IN===> loadmodule xt_owner IN===> loadmodule xt_physdev IN===> loadmodule xt_pkttype IN===> loadmodule xt_tcpmss IN===> loadmodule xt_IPMARK IN===> loadmodule xt_TPROXY IN===> loadmodule xt_condition IN===> loadmodule xt_geoip IN===> loadmodule xt_ipp2p IN===> loadmodule xt_LOGMARK IN===> loadmodule xt_RAWNAT IN===> loadmodule ip_conntrack_amanda IN===> loadmodule ip_conntrack_ftp IN===> loadmodule ip_conntrack_h323 IN===> loadmodule ip_conntrack_irc IN===> loadmodule ip_conntrack_netbios_ns IN===> loadmodule ip_conntrack_pptp IN===> loadmodule ip_conntrack_sip IN===> loadmodule ip_conntrack_tftp IN===> loadmodule ip_nat_amanda IN===> loadmodule ip_nat_ftp IN===> loadmodule ip_nat_h323 IN===> loadmodule ip_nat_irc IN===> loadmodule ip_nat_pptp IN===> loadmodule ip_nat_sip IN===> loadmodule ip_nat_snmp_basic IN===> loadmodule ip_nat_tftp IN===> loadmodule ip_set IN===> loadmodule ip_set_iphash IN===> loadmodule ip_set_ipmap IN===> loadmodule ip_set_macipmap IN===> loadmodule ip_set_portmap IN===> loadmodule nf_conntrack_ftp IN===> loadmodule nf_conntrack_h323 IN===> loadmodule nf_conntrack_irc IN===> loadmodule nf_conntrack_netbios_ns IN===> loadmodule nf_conntrack_netlink IN===> loadmodule nf_conntrack_pptp IN===> loadmodule nf_conntrack_proto_gre IN===> loadmodule nf_conntrack_proto_sctp IN===> loadmodule nf_conntrack_proto_udplite IN===> loadmodule nf_conntrack_sip sip_direct_media=0 IN===> loadmodule nf_conntrack_tftp IN===> loadmodule nf_conntrack_sane IN===> loadmodule nf_nat_amanda IN===> loadmodule nf_nat_ftp IN===> loadmodule nf_nat_h323 IN===> loadmodule nf_nat_irc IN===> loadmodule nf_nat IN===> loadmodule nf_nat_pptp IN===> loadmodule nf_nat_proto_gre IN===> loadmodule nf_nat_sip IN===> loadmodule nf_nat_snmp_basic IN===> loadmodule nf_nat_tftp IN===> loadmodule xt_set IN===> loadmodule ip_set IN===> loadmodule ip_set_iphash IN===> loadmodule ip_set_ipmap IN===> loadmodule ip_set_ipporthash IN===> loadmodule ip_set_iptree IN===> loadmodule ip_set_iptreemap IN===> loadmodule ip_set_macipmap IN===> loadmodule ip_set_nethash IN===> loadmodule ip_set_portmap IN===> loadmodule ipt_SET IN===> loadmodule ipt_set IN===> loadmodule sch_sfq IN===> loadmodule sch_ingress IN===> loadmodule sch_hfsc IN===> loadmodule sch_htb IN===> loadmodule sch_prio IN===> loadmodule sch_tbf IN===> loadmodule cls_u32 IN===> loadmodule cls_fw IN===> loadmodule cls_flow IN===> loadmodule cls_basic IN===> loadmodule act_police IN===> loadmodule ipt_addrtype IN===> loadmodule ipt_ah IN===> loadmodule ipt_CLASSIFY IN===> loadmodule ipt_CLUSTERIP IN===> loadmodule ipt_comment IN===> loadmodule ipt_connmark IN===> loadmodule ipt_CONNMARK IN===> loadmodule ipt_conntrack IN===> loadmodule ipt_dscp IN===> loadmodule ipt_DSCP IN===> loadmodule ipt_ecn IN===> loadmodule ipt_ECN IN===> loadmodule ipt_esp IN===> loadmodule ipt_hashlimit IN===> loadmodule ipt_helper IN===> loadmodule ipt_ipp2p IN===> loadmodule ipt_iprange IN===> loadmodule ipt_length IN===> loadmodule ipt_limit IN===> loadmodule ipt_LOG IN===> loadmodule ipt_mac IN===> loadmodule ipt_mark IN===> loadmodule ipt_MARK IN===> loadmodule ipt_MASQUERADE IN===> loadmodule ipt_multiport IN===> loadmodule ipt_NETMAP IN===> loadmodule ipt_NOTRACK IN===> loadmodule ipt_owner IN===> loadmodule ipt_physdev IN===> loadmodule ipt_pkttype IN===> loadmodule ipt_policy IN===> loadmodule ipt_realm IN===> loadmodule ipt_recent IN===> loadmodule ipt_REDIRECT IN===> loadmodule ipt_REJECT IN===> loadmodule ipt_SAME IN===> loadmodule ipt_sctp IN===> loadmodule ipt_set IN===> loadmodule ipt_state IN===> loadmodule ipt_tcpmss IN===> loadmodule ipt_TCPMSS IN===> loadmodule ipt_tos IN===> loadmodule ipt_TOS IN===> loadmodule ipt_ttl IN===> loadmodule ipt_TTL IN===> loadmodule ipt_ULOG SYS----> /sbin/iptables -N fooX24035 SYS----> /sbin/iptables -N foo1X24035 SYS----> /sbin/iptables -A fooX24035 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -p tcp -m multiport --dports 21,22 -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT SYS----> /sbin/iptables -t nat -L -n iptables v1.4.16.3: can''t initialize iptables table `nat'': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. SYS----> /sbin/iptables -t mangle -L -n iptables v1.4.16.3: can''t initialize iptables table `mangle'': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. SYS----> /sbin/iptables -A fooX24035 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -m conntrack ! --ctorigdst 1.2.3.4 SYS----> /sbin/iptables -A fooX24035 -p tcp -m multiport --dports 21,22 -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -p tcp -m multiport --dports 21:22 -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m physdev --physdev-in eth0 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m recent --update -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m owner --uid-owner 0 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m owner --uid-owner root -j ACCEPT sh: line 1: -j: command not found SYS----> /sbin/iptables -A fooX24035 -m connmark --mark 2 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -p tcp -m ipp2p --edk -j ACCEPT iptables v1.4.16.3: Couldn''t load match `ipp2p'':No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. SYS----> /sbin/iptables -A fooX24035 -m length --length 10:20 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -j REJECT --reject-with icmp-host-prohibited SYS----> /sbin/iptables -A fooX24035 -j ACCEPT -m comment --comment "This is a comment" iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name fooX24035 --hashlimit-mode srcip -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name fooX24035 --hashlimit-mode srcip -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -t raw -L -n iptables v1.4.16.3: can''t initialize iptables table `raw'': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. SYS----> /sbin/iptables -t rawpost -L -n iptables v1.4.16.3: can''t initialize iptables table `rawpost'': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. SYS----> /sbin/iptables -A fooX24035 -m pkttype --pkt-type broadcast -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -m addrtype --src-type BROADCAST -j ACCEPT SYS----> /sbin/iptables -A fooX24035 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -j NFQUEUE --queue-num 4 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m realm --realm 1 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m connlimit --connlimit-above 8 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m time --timestart 11:00 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -g foo1X24035 SYS----> /sbin/iptables -A fooX24035 -j LOG SYS----> /sbin/iptables -A fooX24035 -j ULOG iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -j NFLOG iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -j LOGMARK iptables v1.4.16.3: Couldn''t load target `LOGMARK'':No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. SYS----> /sbin/iptables -A fooX24035 -j MARK --set-mark 5 SYS----> /sbin/iptables -A fooX24035 -j ACCOUNT --addr 192.168.1.0/29 --tname fooX24035 iptables v1.4.16.3: unknown option "--addr" Try `iptables -h'' or ''iptables --help'' for more information. SYS----> /sbin/iptables -A fooX24035 -j AUDIT --type drop iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m condition --condition foo iptables v1.4.16.3: Couldn''t load match `condition'':No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. SYS----> /sbin/iptables -S INPUT -P INPUT DROP -A INPUT -i enp0s25 -j enp0s25_in -A INPUT -i wlp3s0 -j wlp3s0_in -A INPUT -i lo -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 -A INPUT -g reject SYS----> /sbin/iptables -A fooX24035 -m statistic --mode nth --every 2 --packet 1 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX24035 -m geoip --src-cc US iptables v1.4.16.3: Couldn''t load match `geoip'':No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. SYS----> nfacct add fooX24035 Can''t exec "nfacct": No such file or directory at /usr/share/shorewall/Shorewall/Config.pm line 3371. SYS----> /sbin/iptables -A fooX24035 -p tcp --dport 21 -m helper --helper ftp iptables: No chain/target/match by that name. SYS----> /sbin/iptables -F fooX24035 SYS----> /sbin/iptables -X fooX24035 SYS----> /sbin/iptables -F foo1X24035 SYS----> /sbin/iptables -X foo1X24035 NF-(N)-> raw:OUTPUT NF-(N)-> raw:PREROUTING NF-(N)-> rawpost:POSTROUTING NF-(N)-> filter:INPUT NF-(N)-> filter:OUTPUT NF-(N)-> filter:FORWARD NF-(N)-> nat:PREROUTING NF-(N)-> nat:POSTROUTING NF-(N)-> nat:OUTPUT NF-(N)-> mangle:PREROUTING NF-(N)-> mangle:INPUT NF-(N)-> mangle:OUTPUT NF-(N)-> filter:reject ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Jun 23, 2013, at 4:49 PM, David Iannucci <fuberjnyyhfrefzy@punchcutter.ml1.net> wrote:> On Sun, Jun 23, 2013, at 3:20, Tom Eastep wrote: >> On Jun 23, 2013, at 3:36 AM, David Iannucci wrote: >> >>> Hi, I''ve been receiving the following error for weeks or months now: >>> >>> iptables: No chain/target/match by that name. >>> >>> I know this is a common thing and that it usually means that >>> something is missing from your kernel config. [........] >> >> More importantly, it is appearing right before the capabilities are >> reported. That leads me to believe that it is being generated during >> capability detection. >> >> ''shorewall trace check'' might give enough information to see what >> iptables command is generating the message. But given where it is >> being generated, I would not be concerned that it is causing any type >> of vulnerability. >> >> -Tom > > Thanks for the quick response. Here''s a clipping from what shorewall > trace check said, starting from Loading Modules. I note there are quite > a few examples of the error in question here... no idea which one is the > lone one that is printed normally. > > The whole output of the command overran my terminal scroll buffer, > but rather than change that, I''ve attached the entire output to this > mail; apologies if that''s a no-no on this list - or maybe Mailman''ll > strip it :-}Before I wade through this, I would like to know if you can reproduce this on the current Shorewall version. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote:> Before I wade through this, I would like to know if you can reproduce > this on the current Shorewall version. > > -TomThe latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded and sorry to say, the exact same thing is still happening. The output of shorewall trace check also looks very similar, although I haven''t carefully compared the two. Let me know if you want logs from 4.5.17. Much appreciated. Dave ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
With this error: iptables v1.4.16.3: can''t initialize iptables table `nat'': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Recheck your kernel configuration and ensure NAT is enabled. They moved around the kernel modules for iptables and NAT was moved and unselected, even though it was and upgrade for the kernel. Vernon ----------------------- Vernon (Andy) Fort Provident Solutions, LLC Office - (615) 406-5540 http://www.provident-solutions.com -----Original Message----- From: David Iannucci [mailto:fuberjnyyhfrefzy@punchcutter.ml1.net] Sent: Sunday, June 23, 2013 10:47 PM To: Shorewall Users Subject: Re: [Shorewall-users] Iptables error: doesn''t seem like the usual On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote:> Before I wade through this, I would like to know if you can reproduce > this on the current Shorewall version. > > -TomThe latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded and sorry to say, the exact same thing is still happening. The output of shorewall trace check also looks very similar, although I haven''t carefully compared the two. Let me know if you want logs from 4.5.17. Much appreciated. Dave ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/24/2013 06:39 AM, Vernon Fort wrote:> With this error: > > iptables v1.4.16.3: can''t initialize iptables table `nat'': Table does > not exist (do you need to insmod?) Perhaps iptables or your kernel > needs to be upgraded. > > Recheck your kernel configuration and ensure NAT is enabled. They > moved around the kernel modules for iptables and NAT was moved and > unselected, even though it was and upgrade for the kernel. >Vernon, David builds his own stripped down kernels which don''t include NAT support. Given that this is a standalone system, NAT isn''t a requirement. All but one of the error messages in the trace listing are suppressed when we are not tracing.. We are trying to understand why a single error message is not being suppressed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/23/2013 08:47 PM, David Iannucci wrote:> On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote: >> Before I wade through this, I would like to know if you can reproduce >> this on the current Shorewall version. >> >> -Tom > > The latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded > and sorry to say, the exact same thing is still happening. The output > of shorewall trace check also looks very similar, although I haven''t > carefully compared the two. Let me know if you want logs from 4.5.17.Yes, please. And also please redirect Standard Error to Standard Out (e.g., ''2>&1''). Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/24/2013 08:32 AM, Tom Eastep wrote:> On 06/23/2013 08:47 PM, David Iannucci wrote: >> On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote: >>> Before I wade through this, I would like to know if you can reproduce >>> this on the current Shorewall version. >>> >>> -Tom >> >> The latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded >> and sorry to say, the exact same thing is still happening. The output >> of shorewall trace check also looks very similar, although I haven''t >> carefully compared the two. Let me know if you want logs from 4.5.17. > > > Yes, please. And also please redirect Standard Error to Standard Out > (e.g., ''2>&1'').Another useful experiment would be to set LOAD_HELPERS_ONLY=Yes. Does the message still appear? If so, where in the output? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/24/2013 12:23 PM, Tom Eastep wrote:> On 06/24/2013 08:32 AM, Tom Eastep wrote: >> On 06/23/2013 08:47 PM, David Iannucci wrote: >>> On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote: >>>> Before I wade through this, I would like to know if you can reproduce >>>> this on the current Shorewall version. >>>> >>>> -Tom >>> >>> The latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded >>> and sorry to say, the exact same thing is still happening. The output >>> of shorewall trace check also looks very similar, although I haven''t >>> carefully compared the two. Let me know if you want logs from 4.5.17. >> >> >> Yes, please. And also please redirect Standard Error to Standard Out >> (e.g., ''2>&1''). > > Another useful experiment would be to set LOAD_HELPERS_ONLY=Yes. Does > the message still appear? If so, where in the output?We can also determine where the problem is coming from using the Perl debugger with "LOAD_HELPERS_ONLY=No". Run ''shorewall check -d''. At the first debugger prompt, type b Shorewall::Config::determine_capabilities At the second debugger prompt, type c At the next debugger prompt, type n At subsequence prompts, simply hit the enter key. Continue until the error message appears; then type q Here''s a sample session: root@gateway:/etc/shorewall# shorewall check -d Checking... Loading DB routines from perl5db.pl version 1.32 Editor support available. Enter h or `h h'' for help, or `man perldebug'' for more help. main::(/usr/share/shorewall/compiler.pl:85): 85: my $export = 0; DB<1> b Shorewall::Config::determine_capabilities DB<2> c Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4262): 4262: my $pid = $$; DB<2> n Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4264): 4264: $capabilities{CAPVERSION} = $globals{CAPVERSION}; DB<2> Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4266): 4266: determine_kernelversion; DB<2> Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4268): 4268: $sillyname = "fooX$pid"; DB<2> Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4269): 4269: $sillyname1 = "foo1X$pid"; DB<2> Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4271): 4271: qt1( "$iptables -N $sillyname" ); DB<2> Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4272):q root@gateway: -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/24/2013 01:01 PM, Tom Eastep wrote:> On 06/24/2013 12:23 PM, Tom Eastep wrote: >> On 06/24/2013 08:32 AM, Tom Eastep wrote: >>> On 06/23/2013 08:47 PM, David Iannucci wrote: >>>> On Sun, Jun 23, 2013, at 14:56, Tom Eastep wrote: >>>>> Before I wade through this, I would like to know if you can reproduce >>>>> this on the current Shorewall version. >>>>> >>>>> -Tom >>>> >>>> The latest available to me in Gentoo''s portage is 4.5.17. I''ve upgraded >>>> and sorry to say, the exact same thing is still happening. The output >>>> of shorewall trace check also looks very similar, although I haven''t >>>> carefully compared the two. Let me know if you want logs from 4.5.17. >>> >>> >>> Yes, please. And also please redirect Standard Error to Standard Out >>> (e.g., ''2>&1''). >> >> Another useful experiment would be to set LOAD_HELPERS_ONLY=Yes. Does >> the message still appear? If so, where in the output? > > We can also determine where the problem is coming from using the Perl > debugger with "LOAD_HELPERS_ONLY=No". > > Run ''shorewall check -d''. > > At the first debugger prompt, type > > b Shorewall::Config::determine_capabilities > > At the second debugger prompt, type > > c > > At the next debugger prompt, type > > n > > At subsequence prompts, simply hit the enter key. Continue until the > error message appears; then type > > q > > Here''s a sample session: > > root@gateway:/etc/shorewall# shorewall check -d > Checking... > > Loading DB routines from perl5db.pl version 1.32 > Editor support available. > > Enter h or `h h'' for help, or `man perldebug'' for more help. > > main::(/usr/share/shorewall/compiler.pl:85): > 85: my $export = 0; > DB<1> b Shorewall::Config::determine_capabilities > DB<2> c > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4262): > 4262: my $pid = $$; > DB<2> n > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4264): > 4264: $capabilities{CAPVERSION} = $globals{CAPVERSION}; > DB<2> > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4266): > 4266: determine_kernelversion; > DB<2> > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4268): > 4268: $sillyname = "fooX$pid"; > DB<2> > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4269): > 4269: $sillyname1 = "foo1X$pid"; > DB<2> > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4271): > 4271: qt1( "$iptables -N $sillyname" ); > DB<2> q > Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4272): > root@gateway:And if, as I suspect, the error message appears after executing this code: $capabilities{OWNER_NAME_MATCH} = detect_capability( ''OWNER_NAME_MATCH'' ); then apply the attached patch. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Mon, Jun 24, 2013, at 10:20, Tom Eastep wrote:> > We can also determine where the problem is coming from using the > > Perl debugger with "LOAD_HELPERS_ONLY=No". > > > > Run ''shorewall check -d''. > > > > [......] > > And if, as I suspect, the error message appears after executing > this code: > > $capabilities{OWNER_NAME_MATCH} > = detect_capability( ''OWNER_NAME_MATCH'' ); > > then apply the attached patch.Tom, thanks for the investigation and clear instructions for testing. As you predicted, the error appears *after* the above line of code: Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4294): 4294: $capabilities{OWNER_NAME_MATCH} 4295: = detect_capability( ''OWNER_NAME_MATCH'' ); DB<2> iptables: No chain/target/match by that name. Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:4296): 4296: $capabilities{CONNMARK_MATCH} = detect_capability( ''CONNMARK_MATCH'' ); DB<2> You may have known this already by reproducing it :-) You did say you thought this wasn''t a problem that would lead to vulnerability, and it looks that way to me, too, so I won''t bother with the patch, but rather just wait for the next version :-) Dave ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev