Introduction
If you encounter such error, it means that the CONFIG_NETFILTER module was not complied in your kernel. All VPS (virtual private server) that I owned from DigitalOcean, AWS, Google Cloud and other lesser-known host providers have it by default when I choose Ubuntu or Debian. However, I owned an OpenVZ (Open Virtuozzo) from a particular provider and it was absent from Debian 9.
Error 1 – iptables: No chain/target/match by that name
If the module is not loaded, using iptables with -m conntrack –ctstate ESTABLISHED,RELATED will cause this error. Note that CONFIG_PACKET is not needed for iptables to work. You can read more about Linux Packet Filtering and iptables at linuxtopia.org
user@server:~$ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.
user@server:~$ sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name.
Error 2 – apt-get update Cannot initiate the connection to and Temporary failure resolving repository
If the option -m conntrack –ctstate is not available on the server, you will have to omit them from the iptables command. While the firewall rules will now be accepted without error but by simply removing them will cause two problems when running apt-get. They are fail to resolve e.g. ftp.us..debian.org and connection timed out trying to connect to repository.
user@server:~$ sudo apt-get update
Err:1 http://ftp.us..debian.org/debian oldstable InRelease
Could not resolve 'ftp.us..debian.org'
user@server:~$ sudo apt-get update
Err:1 https://packages.sury.org/php stretch InRelease
Failed to connect to packages.sury.org port 443: Connection timed out
0% [Connecting to prod.debian.map.fastly.net (151.101.24.204)] [Connecting to security.debian.org (151.101.0.204)]
Solution
The solution is to add six additional firewall rules (Step 1) associated to Port 53 (DNS), 80 (HTTP) and 443 (HTTPS) to replace the absence of these two rules rejected on servers without netfilter (CONFIG_PACKET) complied.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Step 1 – Firewall Rules for Servers without Netfilter Module
Don’t be in a hurry to enter these rules yet! This command iptables -P INPUT DROP will drop you out of your current SSH session and you will require serial console to gain access to update the rule back to iptables -P INPUT ACCEPT before you can reconnect via SSH again.
# Flush all existing rules
iptables -F
# Set 'close all ports' chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# apt-get to resolve (53) and initiate connections (80, 443) to fetch updates from repo
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Accept all incoming SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Accept all incoming HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
# Accept all incoming HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
# Enable SMTPS for e.g. Postfix
iptables -A INPUT -p tcp --sport 465 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Accept incoming PING
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Accept loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Step 2 – Using iptables-restore to Import Rules
Create a file e.g. fw-rules and use iptables-restore < fw-rules to import the rules below which only allow incoming SSH connections via Port 22, web services Port 80/ 443, SMTPS (Simple Mail Transfer Protocol Secure) Port 465 and ICMP ping. The rest of the network packets will be dropped.
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# For apt-get to resolve (53) and initiate connections (80, 443)
# to fetch updates from repository
-A INPUT -p udp --sport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
# Accept SSH, HTTP, HTTPS, SMTPS and ICMP ping
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --sport 443 -j ACCEPT
-A INPUT -p tcp --sport 465 -j ACCEPT
-A OUTPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
You can list your rules for your first firewall with iptables -L
user@server:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
Step 3 – (optional) How to Check CONFIG_NETFILTER is Compiled into Kernel
On a KVM (Kernel-based Virtual Machine) with Debian 10 that I owned which returns that the CONFIG_NETFILTER was complied.
user@server:~$ grep CONFIG_NETFILTER= /boot/*config*
/boot/config-4.19.0-5-amd64:CONFIG_NETFILTER=y
/boot/config-4.19.0-8-amd64:CONFIG_NETFILTER=y
On OpenVZ (Open Virtuozzo) with Debian 9 that I owned which returns no such file or directory. This can be due to OpenVZ shares a single kernel which is always maintained by the host provider which end-users have no access to. In any case, option –ctstate is not available on this server for me.
user@server:~$ grep CONFIG_NETFILTER= /boot/*config*
grep: /boot/*config*: No such file or directory
Conclusion
I had actually spent hours debugging how to get apt-get to work for this particular server of mine without netfilter module. I had tried to add all suggested firewall rules from the Internet even for Port 21 (FTP) but none worked for me. They are all but just a fraction of the bigger solution required which I conclude is to add those six firewall rules for Port 53, 80 and 443. Last but not least, rules stored in iptables are not persistent, they will be deleted (flushed) on next server reboot. Install iptables-persistent package to save the existing rules to a file and load it on every startup.
I’m trying to run a container but I get the following issue :
Error response from daemon: Cannot start container b005715c40ea7d5821b15c44f5b7f902d4b39da7c83468f3e5d7c042e5fe3fbd: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.43 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name.
(exit status 1)
Here is the command I use :
docker run -d -p 10080:80 -v /srv/http/website/data:/srv/http/www/data -v /srv/http/website/logs:/srv/http/www/logs myimage
Isn’t opening port 80 on my server enough? Is there something I missed with docker interface?
I use iptables with a script like this :
#!/bin/sh
# reset :
iptables -t filter -F
iptables -t filter -X
# Block all :
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Authorize already established connections :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Authorize backloop :
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Authorize ssh :
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# Authorize HTTP :
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Authorize HTTPS :
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Authorize DNS :
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Ping :
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# Authorize FTP :
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
# # Authorize NTP :
# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
# iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# Authorize IRC :
iptables -t filter -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT
# Authorize port 10000 (for Node.JS server) :
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 10000 -j ACCEPT
# Authorize port 631 (Cups server) :
iptables -t filter -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 631 -j ACCEPT
# Authorize port 9418 (git) :
iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT
How could I fix this?
asked Jul 28, 2015 at 4:03
1
I faced the same problem in a docker-compose setup.
1. Clear all chains:
sudo iptables -t filter -F
sudo iptables -t filter -X
2. Then restart Docker Service:
systemctl restart docker
answered Jun 26, 2018 at 15:08
2
Faced the same issue on RHEL 7. Restarting docker service worked for me without a need to flush any iptable
rules.
$ sudo systemctl restart docker
answered Jun 12, 2019 at 10:22
JunaidJunaid
3,3871 gold badge23 silver badges24 bronze badges
2
I believe the issue is within these lines:
iptables -t filter -F
iptables -t filter -X
which indeeds clear all chains. One possible solution is to launch the docker daemon after the iptables setup script. Otherwise you will need to explicitly removes chains you’re interested in.
answered Jul 28, 2015 at 4:14
Yoanis GilYoanis Gil
2,9922 gold badges15 silver badges22 bronze badges
2
I get same problem, after installing firewalld.
I fix it by:
service firewalld stop
service docker restart
answered May 7, 2020 at 7:45
eagleeagle
2202 silver badges2 bronze badges
2
The error may happen because it is trying to affect the iptables «DOCKER» filter chain, but is not there.
The option —iptables=false prevents docker from changing the iptables configuration.
(Source: https://docs.docker.com/v17.09/engine/userguide/networking/default_network/container-communication/#communicating-to-the-outside-world)
If you opt for fixing the iptables docker filter chain, here’s how to.
You can actually edit the iptables and add it, so that it looks like in the example here Docker: How to re-create dockers additional iptables rules?
Like this
sudo vi /etc/sysconfig/iptables
Add the «:DOCKER» lines
*nat
:PREROUTING ACCEPT [144:8072]
:INPUT ACCEPT [87:5208]
:OUTPUT ACCEPT [118:8055]
:POSTROUTING ACCEPT [118:8055]
:DOCKER - [0:0]
... your previous rules here ...
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5781:5099614]
:DOCKER - [0:0]
... your previous rules here ...
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
Restart… e.g.
service iptables restart
A good «further read» link where it is well explained
https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
answered Sep 26, 2019 at 18:02
In irc.freenode.net#docker you have stated that you are using Arch Linux ARM on a Raspberry Pi.
If you are not running this script as a part of a systemd service, I would strongly suggest moving to that, or making use of the existing iptables services and using their ability to save/restore the tables at the appropriate times. If you choose to move to your own services, make sure that the unit states that it is ordered Before=docker.service
answered Jul 28, 2015 at 12:06
I also faced the same issue. before running docker start mongodb , I was testing ssh service.
below command can solve this issue for me.
iptables -t filter -F
iptables -t filter -X
systemctl restart docker
cursorrux
1,3944 gold badges9 silver badges20 bronze badges
answered Apr 4, 2022 at 4:13
Yes I faced the same issue and as mentioned above below commands worked for me
sudo iptables -t filter -F
sudo iptables -t filter -X
systemctl restart docker
buddemat
4,46713 gold badges26 silver badges49 bronze badges
answered Aug 23, 2021 at 10:10
1
I can confirm that this problem is caused by iptables or firewalld because before my containers stopped I edited my firewall’s rules.
iptables -t filter -X
iptables -t filter -F
answered Sep 10, 2021 at 3:00
1
You need to figure out which part of the rule is causing that error message. It’s probably the -m state
part, but not necessarily. The various extensions to iptables and netfilter have to be compiled into the iptables userspace binary and into netfilter in the Linux kernel. You can determine which part you are missing by asking iptables for the help information on the extension you are testing. Here are some ways to test for the various extensions:
$ iptables -m state -h
$ iptables -p icmp -h
$ iptables -j DROP -h
If you get help output that includes information about the extension at the very bottom of the output, then it is compiled into the userspace binary. If not, then you need to recompile iptables. If that works, try the simplest possible rule to see if the extension is included in the kernel space:
$ iptables -A INPUT -m state --state NEW
$ iptables -A INPUT -p icmp
$ iptables -A INPUT -j DROP
(Careful with those rules, the last one you’ll want to remove because it will probably DROP more than you want to!) When you get the error message again: No chain/target/match by that name
you’ll know that particular extension is not compiled into your kernel. You’ll need to recompile your kernel.
Look through the make files in linux/net/ipv6/netfilter
, linux/net/ipv4/netfilter
, and linux/net/netfilter
for options on enabling various extensions for the kernel. For the userspace, I think the make files in question are in iptables/extensions
but I think the folder structure has changed a little in more recent versions.
I am trying to configure iptables on my Ubuntu 12.04 LTS server to forward port 443 to 8443.
But when I run this command:
sudo iptables -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
I get the following error:
iptables: No chain/target/match by that name.
My iptables current configuration:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What am I missing or doing wrong?
heemayl
89.8k20 gold badges198 silver badges264 bronze badges
asked Jun 30, 2016 at 18:39
Because PREROUTING
chain belongs to the NAT
table, not the FILTER
table. If you do not mention any table explicitly by -t
option, then FILTER
is assumed.
So, you need to mention the table type with -t nat
:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
Note that, MANGLE
and RAW
tables also have PREROUTING
chain but as you are redirecting ports only, you are presumably looking for the NAT
table.
answered Jun 30, 2016 at 18:46
heemaylheemayl
89.8k20 gold badges198 silver badges264 bronze badges
4
PREROUTING chain only available for nat, mangle and raw tables.
iptables assumes filter table, so you must specify one of these, eg. iptables -t nat ...
answered Jun 30, 2016 at 18:47
Ven3kVen3k
713 bronze badges
I get similar error when I run a docker command
docker run -d -p 8084:8080 knockdata/zeppelin-highcharts
d9c5d34f500d621585470b0e70b915395fcb6b3437859e0f610dbb58d51faf25
docker: Error response from daemon: driver failed programming external connectivity on endpoint elegant_jang
(7ca0f5ad689f5443ce7533f66b4a86c34d2dbd9d076bac4812288dd3f6a76698):
iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8084 -j DNAT --to-destination 172.17.0.2:8080
! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).
I was able to fix it by reinstall docker-engine
apt-get remove docker-engine
apt-get install docker-engine
answered Sep 29, 2016 at 7:22
You can install (Config Server Security & Firewall) and use the following settings.
nano /etc/csf/csf.conf
SYNFLOOD = "" => SYNFLOOD = "1"
CONNLIMIT = "" => CONNLIMIT = "80;75,443;75,21;50”
PORTFLOOD = "" => PORTFLOOD = "80;tcp;5;250"
SYSLOG = “0” => SYSLOG = "1"
DOCKER = “0” => DOCKER = "1"
nano /etc/csf/csfpost.sh
#!/bin/sh
echo "[DOCKER] Setting up FW rules."
iptables -N DOCKER
iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
# Masquerade outbound connections from containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
# Accept established connections to the docker containers
iptables -t filter -N DOCKER
iptables -t filter -A FORWARD -o docker0 -j DOCKER
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
# Allow docker containers to communicate with themselves & outside world
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
echo "[DOCKER] Done."
Note: This config also prevents you from basic DDOS attack.
answered Dec 7, 2018 at 3:40
1
2
Доброго всем времени суток.
Есть машинка с двумя сетками и Дебианом нет-инсталл тестинг.
Сетка enp2s2 — смотрит в мир и имеет статичный провайдерский ip
Сетка enp2s1 — смотрит в локалку на 20 компов и имеет статичный ip 192.168.1.9
Задача вроде бы тривиальная — раздать интернет.
Мои действия:
iptables -F
iptables -t nat -F
iptables -t mangle -F
всё без ошибок
далее
iptables -A FORWARD -i enp2s1 -o enp2s2 -s 192.168.1.0/30 -j ACCEPT
$ iptables -A FORWARD -i enp2s2 -o enp2s1 -d 192.168.1.0/30 -j ACCEPT
$ iptables -P FORWARD DROP
Транзит тоже настроился без ошибок.
А вот далее:
iptables -A POSTROUTING -s 192.168.1.0/30 -o enp2s2 -j SNAT —to-source провайдерский ip
и получаем No chain/target/match by that name
Погуглил проблему — «вы пытаетесь использовать функционал, отсутствующий в ядре системы». Ок, допустим, в ядрес тестовой сборки Дебиана, нет NATа… Хотя и сомнительно, но допустим.
Подскажите, мне теперь переустановить Дебиана из стабильной ветки? Или таки я где-то с правилом накосячил?
Заранее благодарен за подсказку.