LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-21-2013, 11:57 PM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
why the heck is this iptables mac-source rule failing on 1 machine only?


this issue appears very commonly on google searches, but every solution i've tried hasn't worked.

here's the full iptables.rules:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i external -p tcp -m tcp --dport 12321 -j DNAT --to-destination 192.168.172.14
-A POSTROUTING -s 192.168.172.0/24 -o external -j MASQUERADE
-A POSTROUTING -s 10.20.30.0/24 -o external -j MASQUERADE

COMMIT


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mac --mac-source 00:21:E9:DE:0C:74 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i internal -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p UDP --dport 1194 -j ACCEPT

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i internal -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

-A FORWARD -d 192.168.172.14 -p tcp --dport 12321 -j ACCEPT
-A FORWARD -d 192.168.172.14 -p udp --dport 12321 -j ACCEPT

COMMIT
unhelpfully, "systemctl restart iptables" results in a failure on the last line of the file COMMIT.

entering each command manually, in the same order as iptables.rules, has the failure happen here in the filter table:

Code:
iptables -t filter -A INPUT -m mac --mac-source 00:21:E9:DE:0C:74 -j DROP
with the following error:

Code:
iptables: no chain/target/match by that name
Wtf?? So which is it, a chain, a target, or a match? And by which name? By the way, i'm using the exact same syntax of that command on numerous other Linux routers I have, none of them giving this error.
 
Old 12-22-2013, 12:32 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Could be your system lacks support for the "mac" match. Try this command (with sudo if you're not root):
Code:
iptables -t filter -A INPUT -m mac -j ACCEPT
Expected result if the kernel supports the "mac" match: The error message mac: option "--mac-source" must be specified.

Expected result if the kernel lacks "mac" support: The same "no chain/target/match" error you've been getting.
 
Old 12-22-2013, 12:34 AM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
i get the first result "--mac-source must be speficied"
 
Old 12-22-2013, 01:12 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Could you post the output of:
Code:
iptables --version
uname -rm
 
Old 12-22-2013, 01:13 PM   #5
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Code:
iptables v1.4.20
Code:
3.10.10-1-ARCH x86_64
 
Old 12-22-2013, 01:21 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
The tools are certainly recent enough, and the kernel is from late August this year.

Support for the MAC match may still be missing in the kernel. This should tell you:
Code:
zcat /proc/config.gz | grep MATCH_MAC
It should return "CONFIG_NETFILTER_XT_MATCH_MAC=m" or "CONFIG_NETFILTER_XT_MATCH_MAC=y".
 
Old 12-22-2013, 01:27 PM   #7
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Code:
CONFIG_NETFILTER_XT_MATCH_MAC=m
so it's apparently loaded by a module.... lsmod definitely shows x_tables loaded

Code:
Module                  Size  Used by
tun                    19528  2
xt_conntrack            3265  2
iptable_filter          1488  1
ipt_MASQUERADE          2154  2
xt_nat                  1969  1
xt_tcpudp               3143  4
iptable_nat             3358  1
nf_conntrack_ipv4       9262  3
nf_defrag_ipv4          1371  1 nf_conntrack_ipv4
nf_nat_ipv4             3568  1 iptable_nat
nf_nat                 14964  4 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,iptable_nat
nf_conntrack           71841  6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
ip_tables              17282  2 iptable_filter,iptable_nat
x_tables               17351  6 ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,xt_nat,iptable_filter
nv_tco                  4936  0
nouveau               962981  1
mxm_wmi                 1467  1 nouveau
wmi                     8283  2 mxm_wmi,nouveau
video                  11328  1 nouveau
ttm                    65388  1 nouveau
drm_kms_helper         35438  1 nouveau
drm                   231168  3 ttm,drm_kms_helper,nouveau
i2c_algo_bit            5391  1 nouveau
i2c_nforce2             5711  0
i2c_core               23720  5 drm,drm_kms_helper,i2c_algo_bit,nouveau,i2c_nforce2
8139too                25335  0
powernow_k8            17310  1
kvm_amd                52151  0
forcedeth              57617  0
kvm                   376394  1 kvm_amd
edac_core              44137  0
psmouse                85132  0
8139cp                 22133  0
evdev                   9880  2
edac_mce_amd           13054  0
pcspkr                  2027  0
serio_raw               5041  0
k8temp                  3506  0
mii                     4027  2 8139cp,8139too
fan                     2753  0
processor              27755  1 powernow_k8
thermal                 8620  0
button                  4669  1 nouveau
ext4                  456475  2
crc16                   1359  1 ext4
mbcache                 5866  1 ext4
jbd2                   81946  1 ext4
sd_mod                 30730  4
ata_generic             3370  0
pata_acpi               3387  0
firewire_ohci          31869  0
firewire_core          51955  1 firewire_ohci
crc_itu_t               1363  1 firewire_core
sata_nv                21039  3
ehci_pci                4120  0
ohci_hcd               26544  0
ehci_hcd               47704  1 ehci_pci
libata                171016  3 pata_acpi,sata_nv,ata_generic
usbcore               177183  3 ohci_hcd,ehci_hcd,ehci_pci
scsi_mod              127772  2 libata,sd_mod
usb_common              1648  1 usbcore
 
Old 12-22-2013, 01:48 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
That's odd; there should be a module called xt_mac listed as depending on x_tables. On my system, it gets loaded automatically when I create an iptables rule with a "mac" match criteria.

Can you load it manually with modprobe xt_mac?
 
Old 12-22-2013, 02:01 PM   #9
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
tried loading the module but it won't load.... no error of any kind, modprobe xt_mac gives no output but lsmod doesn't show it afterwards.... very strange
 
Old 12-22-2013, 02:10 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
If it's not in the lsmod list, then it wasn't successfully loaded. Anything in the logs? (dmesg, /var/log/messages, /var/log/syslog?)

Can you reinstall the kernel modules, either from source or by using a package manager?
 
Old 12-22-2013, 02:23 PM   #11
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
no no logs at all.

this is a remote VPN server/router at my buddy's house, i'm prolly gonna wait till i can have physical access before trying to reload any kernel stuff
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables mac-source error - No chain/target/match balamadras Linux - Networking 2 12-19-2012 01:57 PM
Iptables - source match failing craZZter Linux - Networking 6 02-10-2012 08:34 AM
iptables --mac-source now 112 bit? rupertwh Linux - Networking 3 02-12-2008 01:12 AM
how to use iptables -m mac --mac-source DeployedOne Linux - Security 3 08-06-2004 04:03 AM
How would i log the source MAC address w/ iptables? phek Linux - Security 12 12-14-2001 01:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration