OpenVZ Forum


Home » General » Support » *SOLVED* iptables: No chain/target/match by that name
icon8.gif  *SOLVED* iptables: No chain/target/match by that name [message #8384] Sat, 18 November 2006 12:45 Go to next message
fransonline is currently offline  fransonline
Messages: 22
Registered: May 2006
Junior Member
From: *roose1.nb.home.nl
I want to install a firewall in the VPS such as APF, but get "No chain/target/match by that name" errors

When I do a simple test in the VPS:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
then this error occurs:
iptables: No chain/target/match by that name

I've seen more topics in this forum, I tried all the tips but without any luck.
I'm get rather desperate because I can't discover what is wrong.

Here the information on the HN.
It's a Linux Fedora FC 5 distro with a 2.6.16-026test015.2 kernel.

0. Status iptables
==================
[root@localhost ~]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

1. lsmod before the VPS starts
==============================
[root@localhost ~]# lsmod | grep ipt
iptable_nat 7940 0
ip_nat 13780 3 vzrst,ip_nat_ftp,iptable_nat
iptable_mangle 3680 0
iptable_filter 3200 0
ip_conntrack 47688 6 vzrst,vzcpt,ip_nat_ftp,iptable_nat,ip_nat,xt_state
ip_tables 12184 3 iptable_nat,iptable_mangle,iptable_filter
ipt_LOG 6176 0
ipt_TOS 2016 0
ipt_ttl 1568 0
ipt_TCPMSS 3648 0
ipt_multiport 2336 0
ipt_tos 1344 0
ipt_REJECT 4288 0
x_tables 13056 13 iptable_nat,xt_state,ip_tables,ipt_LOG,ipt_TOS,xt_length,ipt _ttl,xt_tcpmss,ipt_TCPMSS,ipt_multiport,xt_limit,ipt_tos,ipt _REJECT

2. cat /etc/sysconfig/vz
========================
[root@localhost ~]# cat /etc/sysconfig/vz
## Global parameters
VIRTUOZZO=yes
LOCKDIR=/vz/lock
DUMPDIR=/vz/dump
VE0CPUUNITS=1000

## Logging parameters
LOGGING=yes
LOGFILE=/var/log/vzctl.log
LOG_LEVEL=0

## Disk quota parameters
DISK_QUOTA=yes
VZFASTBOOT=no

# The name of the device whose ip address will be used as source ip for VE.
# By default automatically assigned.
#VE_ROUTE_SRC_DEV="eth0"

## Template parameters
TEMPLATE=/vz/template

## Defaults for VEs
VE_ROOT=/vz/root/$VEID
VE_PRIVATE=/vz/private/$VEID
CONFIGFILE="vps.basic"
DEF_OSTEMPLATE="fedora-core-4"

## Load vzwdog module
VZWDOG="no"

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport
iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

3. cat /etc/sysconfig/vz-scripts/101.conf
=========================================
[root@localhost ~]# cat /etc/sysconfig/vz-scripts/101.conf
# Copyright (C) 2000-2006 SWsoft. All rights reserved.

ONBOOT="yes"

# UBC parameters (in form of barrier:limit)
# Primary parameters
AVNUMPROC="40:40"
NUMPROC="65:65"
NUMTCPSOCK="80:80"
NUMOTHERSOCK="80:80"
VMGUARPAGES="6144:2147483647"
# Secondary parameters
KMEMSIZE="2752512:2936012"
TCPSNDBUF="319488:524288"
TCPRCVBUF="319488:524288"
OTHERSOCKBUF="132096:336896"
DGRAMRCVBUF="132096:132096"
OOMGUARPAGES="6144:2147483647"
# Auxiliary parameters
LOCKEDPAGES="32:32"
SHMPAGES="8192:8192"
PRIVVMPAGES="49152:53575"
NUMFILE="2048:2048"
NUMFLOCK="100:110"
NUMPTY="16:16"
NUMSIGINFO="256:256"
DCACHESIZE="1048576:1097728"

PHYSPAGES="0:2147483647"
NUMIPTENT="4096:4096"

# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="1048576:1153434"
DISKINODES="200000:220000"
QUOTATIME="0"

# CPU fair sheduler parameter
CPUUNITS="1000"
VE_ROOT="/vz/root/$VEID"
VE_PRIVATE="/vz/private/$VEID"
OSTEMPLATE="centos-4-i386-default"
ORIGIN_SAMPLE="vps.basic"
NAMESERVER="192.168.1.1"
IP_ADDRESS="192.168.1.80"

4. modprobe
===========
I did a modprobe for all modules, without any error.

I look forward to some hints to solve my problem.

Thanks in advance.

Frans

[Updated on: Mon, 20 November 2006 11:51] by Moderator

Report message to a moderator

Re: iptables: No chain/target/match by that name [message #8385 is a reply to message #8384] Sat, 18 November 2006 12:56 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
From: *sw.ru
Hello,

can you, please, try recent kernel (2.6.16-026test020.1) on your node, to be sure that we're not dealing with some old issue?
Also, can you provide remote access to your node? If no - it is ok.

Thanks.
Re: iptables: No chain/target/match by that name [message #8387 is a reply to message #8384] Sat, 18 November 2006 13:36 Go to previous messageGo to next message
fransonline is currently offline  fransonline
Messages: 22
Registered: May 2006
Junior Member
From: *roose1.nb.home.nl
Hello Vasily,

Thanks for your fast reply.

1.
Sorry but I don't see kernel 2.6.16-026test020.1 ???
http://openvz.org/download/kernel/fc5/ says:
OpenVZ Fedora Core 5 kernel (latest is 2.6.16-1.2133_FC5.026test015)

2. Of course I would like you to log in, but this is not possible at this box, because it's a test enverimoent at home.
This, because I have exact the same problem with my public server with kernel 2.6.16-1.2133_FC5.026test015smp.

So if you want to log in in this box I would like to provide you with a root login (if so, where do I have to send the details?)

I appreciate your help very much because i am struggling with the problem for some weeks now. Embarassed

Frans

Re: iptables: No chain/target/match by that name [message #8388 is a reply to message #8387] Sat, 18 November 2006 13:52 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
From: *sw.ru
Ohhh, sorry I didn't understand you right at the first time.
So you're using 2.6.16-1.2133_FC5.026test015 kernel, OpenVZ kernel based on FC5... This kernel is prity old and probably obsolete. Please, try to use not FC5 based kernel, for example this: http://openvz.org/download/kernel/devel/archives/2.6.16-026t est020.1

Meanwhile I will check FC5 OVZ kernel.

Thanks!
Re: iptables: No chain/target/match by that name [message #8390 is a reply to message #8388] Sat, 18 November 2006 14:19 Go to previous messageGo to next message
fransonline is currently offline  fransonline
Messages: 22
Registered: May 2006
Junior Member
From: *roose1.nb.home.nl
Hi,

I remove the old FC kernel and replaced it with 2.6.16-026t est020.1, rebooted the system.
But with the same iptables problem.
Sad

Frans
Re: iptables: No chain/target/match by that name [message #8403 is a reply to message #8390] Sun, 19 November 2006 10:51 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
From: *7ka.mipt.ru
Sorry, for late answer. I'll be able to help you tomorrow, so, please, send me login to the node in question via PM (Private Message).

Thanks,
Vasily.
Re: iptables: No chain/target/match by that name [message #8421 is a reply to message #8390] Mon, 20 November 2006 07:57 Go to previous messageGo to next message
dim is currently offline  dim
Messages: 344
Registered: August 2005
Senior Member
From: *sw.ru
The problem is because of the xt_tcpudp module. You need to load it manually before VE start.

http://static.openvz.org/openvz_userbar_en.gif
Re: iptables: No chain/target/match by that name [message #8424 is a reply to message #8421] Mon, 20 November 2006 08:08 Go to previous messageGo to next message
fransonline is currently offline  fransonline
Messages: 22
Registered: May 2006
Junior Member
From: *roose1.nb.home.nl
Thnx, do i load it by
modprobe xt_tcpudp
on the HN?
Re: iptables: No chain/target/match by that name [message #8429 is a reply to message #8424] Mon, 20 November 2006 08:20 Go to previous messageGo to next message
dim is currently offline  dim
Messages: 344
Registered: August 2005
Senior Member
From: *sw.ru
yes

http://static.openvz.org/openvz_userbar_en.gif
Re: iptables: No chain/target/match by that name [message #8450 is a reply to message #8384] Mon, 20 November 2006 11:40 Go to previous messageGo to next message
fransonline is currently offline  fransonline
Messages: 22
Registered: May 2006
Junior Member
From: *roose1.nb.home.nl
With the commands:
modprobe xt_tcpudp
modprobe ip_conntrack ip_conntrack_enable_ve0=1
on the HN I think I solved the problem.

Combined with the simple but effective preconfigured firewalls from http://vpsinfo.nixhost.net/firewall.htm
the chain errors disappeared and the firewall works.

The APF firewall still causes errors, may be I still will find a solution

Vasily and Dim thanks for your time and help!


!!!UNSOLVED!!! hashlimit problems! [message #33207 is a reply to message #8384] Sun, 28 September 2008 19:01 Go to previous message
sucker21 is currently offline  sucker21
Messages: 1
Registered: September 2008
Location: Germany
Junior Member
From: *pool.einsundeins.de
Excuse me... I know this Thread is too old...

But I had the same probleme and i solved it with information of this thread Wink
I have now the same probleme with the command:

Quote:

:/etc/apache2/mods-available# iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 100/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
iptables: No chain/target/match by that name



How to activate hashlimit on VPS?

I'm sorry for my ugly english Sad


Greetz sucker

[Updated on: Sun, 28 September 2008 19:02]

Report message to a moderator

Previous Topic: Problems with swap
Next Topic: bnx2 module missing
Goto Forum:
  


Current Time: Thu Apr 25 18:39:41 GMT 2019