[SOLVED] iptables: No chain/target/match by that name

mgb65 · 12-31-2016, 02:48 AM

Hi all.

When I try to create a rule using the nat table and the PREROUTING chain, always appear a message like this:

iptables: No chain/target/match by that name

I clean all the iptables rules before implement this rule, so I execute all this iptables commands:

pi@raspberrypi:~$ sudo iptables -F
pi@raspberrypi:~$ sudo iptables -t nat -F
pi@raspberrypi:~$ sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
iptables: No chain/target/match by that name.

I have see many post about this, but most of them ar solved adding the "-t nat" table in the command, or checking the CONNTRACK parameters in the kernel.

My CONNTRACK parameters in the active kernel, has these configuration:

pi@raspberrypi:~$ cat /boot/config-4.4.0-1-rpi2 | grep CONNTRACK
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=m

And the loaded kernel modules are:

pi@raspberrypi:~$ lsmod
Module Size Used by
iptable_filter 1829 1
xt_conntrack 3528 0
ipt_MASQUERADE 1324 0
nf_nat_masquerade_ipv4 2954 1 ipt_MASQUERADE
iptable_nat 2224 0
nf_conntrack_ipv4 14594 1
nf_defrag_ipv4 1817 1 nf_conntrack_ipv4
nf_nat_ipv4 6306 1 iptable_nat
nf_nat 17370 2 nf_nat_ipv4,nf_nat_masquerade_ipv4
nf_conntrack 97520 5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4
r8188eu 454315 0
cfg80211 499234 1 r8188eu
rfkill 21397 1 cfg80211
joydev 9194 0
evdev 11650 2
snd_bcm2835 23163 0
snd_pcm 95441 1 snd_bcm2835
snd_timer 22396 1 snd_pcm
snd 68368 3 snd_bcm2835,snd_timer,snd_pcm
bcm2835_gpiomem 3823 0
bcm2835_wdt 4133 0
uio_pdrv_genirq 3718 0
uio 10230 1 uio_pdrv_genirq
ip_tables 12473 2 iptable_filter,iptable_nat
x_tables 18811 4 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter
ipv6 367607 28

If I configure the system, with simple MASQUERADING rules like these:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

pi@raspberrypi:~$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

pi@raspberrypi:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain PREROUTING (0 references)
target prot opt source destination

It's works perfect. The problem appear when I try to use the PREROUTING chain. If I try to use another PREROUTING sentence like this one, it fails always:

pi@raspberrypi:~$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 192.168.11.205:22
iptables: No chain/target/match by that name.

Please any help will be very grateful.

Thanks.

dlb101010 · 12-31-2016, 04:18 PM

Nobody's helped out yet, so I'll take a lame shot at it. In this 14-year-old example, https://www.netfilter.org/documentat...T-HOWTO-6.html, they change the order of setting the in-interface eth0 when including a destination port. Don't know if that would make a difference, but something to try if you haven't already...

Code:

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10

## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
        -j DNAT --to 5.6.7.8:8080

HTH,
Dave

lazydog · 01-01-2017, 12:31 AM

Please run this commnad:

Code:

iptables-save ~/iptables-rules

Then past the contents of that file using the [ CODE ] tags.

mgb65 · 01-03-2017, 02:27 AM

Hi all.

Thanks for your help. The problem is solved. Really I don't know how I solve it, but with a reboot of the system, it works without problem.

For your info, my iptables-save output is very simple:

Code:

pi@raspberrypi:~$ sudo iptables-save 
# Generated by iptables-save v1.4.21 on Tue Jan  3 06:46:31 2017
*filter
:INPUT ACCEPT [15494:6194429]
:FORWARD ACCEPT [257:15362]
:OUTPUT ACCEPT [14294:5973420]
COMMIT
# Completed on Tue Jan  3 06:46:31 2017
# Generated by iptables-save v1.4.21 on Tue Jan  3 06:46:31 2017
*nat
:PREROUTING ACCEPT [565:74308]
:INPUT ACCEPT [1196:119563]
:OUTPUT ACCEPT [102:6565]
:POSTROUTING ACCEPT [344:21131]
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22

Now it's working.

Thanks again.

lazydog · 01-03-2017, 11:44 AM

Great! Glad you solve this problem.

Please edit the subject and add [SOLVED] to it.