10

I built and installed iptables on my linux embedded system. If I list all rules, everything works fine:

#iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But, if I add a new rule to block icmp ping, I'll get the follwing error:

iptables -A INPUT -i eth0 -p icmp --icmp-type any -s 0/0 -d 10.20.3.179 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables: No chain/target/match by that name.

How to fix it?

Note: I'm launching command as super user

aldo85ita
  • 203
  • That is a cut-and-paste from a terminal session above, not you retyping the data, yes? I only ask because sometimes people retype things and ignore important details, see eg http://serverfault.com/questions/513806/iptables-no-chain-target-match-by-name/514068#514068 – MadHatter Jul 16 '13 at 15:05
  • 1
    First I would issue su - so you get a root shell. Secondly you can run the command as follow. Note -m state --state is not longer recommended by #Netfilter. I would use iptables -A INPUT -i eth0 -p icmp --icmp-type any -s 0/0 -d 10.20.3.179 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DROP – Valentin Bajrami Jul 16 '13 at 15:13
  • I think you could use # iptables -A INPUT -i eth0 -p icmp -j DROP – ALex_hha Jul 16 '13 at 18:51
  • The command provided by @ALex_hha works fine, but it blocks all icmp requests in both directions, I mean: neither I can't ping nor I can't be pinged. Can I improve it? – aldo85ita Jul 17 '13 at 07:18
  • @val0x00ff, your command is not accepted, it returns again: “iptables: No chain/target/match by that name”. I think the issue is related to "--icmp-typ", "-s", "-d", "-m" and "--ctstate" options, because without them, the command works. Why you're options are not accepted? Have I add some config in kernel menuconfig? What do you think? – aldo85ita Jul 17 '13 at 07:23
  • Are you using a hand-built kernel? – MadHatter Jul 17 '13 at 07:28
  • WHY are you using a hand-built kernel? – Michael Hampton Jul 17 '13 at 07:33
  • My rule must block only incoming icmp packets on interface eth0. Could you clarify what exactly do you want? – ALex_hha Jul 17 '13 at 07:49
  • I'm using a custom kernel because I work on an embedded system. I enabled CONFIG_IP_NF_IPTABLES,but maybe It's not enought. I did several test and only "--icmp-typ","-m" and "--ctstate" options are NOT accepted. However, even if these options are not accepted, I find the way to block ONLY incoming ping request with the following command:"iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT".So, thank you everybody for your help. It has been necessary to find solution. I'd like to give at both of you a positive feedback.Copy/paste my solution and I'll give you points as right answer. – aldo85ita Jul 17 '13 at 08:09

2 Answers2

11

You need to figure out which part of the rule is causing that error message. It's probably the -m state part, but not necessarily. The various extensions to iptables and netfilter have to be compiled into the iptables userspace binary and into netfilter in the Linux kernel. You can determine which part you are missing by asking iptables for the help information on the extension you are testing. Here are some ways to test for the various extensions:

$ iptables -m state -h
$ iptables -p icmp -h
$ iptables -j DROP -h

If you get help output that includes information about the extension at the very bottom of the output, then it is compiled into the userspace binary. If not, then you need to recompile iptables. If that works, try the simplest possible rule to see if the extension is included in the kernel space:

$ iptables -A INPUT -m state --state NEW
$ iptables -A INPUT -p icmp
$ iptables -A INPUT -j DROP

(Careful with those rules, the last one you'll want to remove because it will probably DROP more than you want to!) When you get the error message again: No chain/target/match by that name you'll know that particular extension is not compiled into your kernel. You'll need to recompile your kernel.

Look through the make files in linux/net/ipv6/netfilter, linux/net/ipv4/netfilter, and linux/net/netfilter for options on enabling various extensions for the kernel. For the userspace, I think the make files in question are in iptables/extensions but I think the folder structure has changed a little in more recent versions.

Jonathan Swinney
  • 490
  • 1
  • 5
  • 16
1

I am using buildroot and I faced same issue.

I found that lots of the iptables options are not selected in the kernel. Find the linux.config file and enable the needed options. For example to enable TARGET_MASQUERADE:

change this:

# CONFIG_IP_NF_TARGET_MASQUERADE is not set

to this:

CONFIG_IP_NF_TARGET_MASQUERADE=y
Michael Hampton
  • 247,473
Fadi
  • 11