Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-21-2013, 11:57 PM
|
#1
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep:
|
why the heck is this iptables mac-source rule failing on 1 machine only?
this issue appears very commonly on google searches, but every solution i've tried hasn't worked.
here's the full iptables.rules:
Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i external -p tcp -m tcp --dport 12321 -j DNAT --to-destination 192.168.172.14
-A POSTROUTING -s 192.168.172.0/24 -o external -j MASQUERADE
-A POSTROUTING -s 10.20.30.0/24 -o external -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mac --mac-source 00:21:E9:DE:0C:74 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i internal -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p UDP --dport 1194 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i internal -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -d 192.168.172.14 -p tcp --dport 12321 -j ACCEPT
-A FORWARD -d 192.168.172.14 -p udp --dport 12321 -j ACCEPT
COMMIT
unhelpfully, "systemctl restart iptables" results in a failure on the last line of the file COMMIT.
entering each command manually, in the same order as iptables.rules, has the failure happen here in the filter table:
Code:
iptables -t filter -A INPUT -m mac --mac-source 00:21:E9:DE:0C:74 -j DROP
with the following error:
Code:
iptables: no chain/target/match by that name
Wtf?? So which is it, a chain, a target, or a match? And by which name? By the way, i'm using the exact same syntax of that command on numerous other Linux routers I have, none of them giving this error.
|
|
|
12-22-2013, 12:32 AM
|
#2
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Could be your system lacks support for the "mac" match. Try this command (with sudo if you're not root):
Code:
iptables -t filter -A INPUT -m mac -j ACCEPT
Expected result if the kernel supports the "mac" match: The error message mac: option "--mac-source" must be specified.
Expected result if the kernel lacks "mac" support: The same "no chain/target/match" error you've been getting.
|
|
|
12-22-2013, 12:34 AM
|
#3
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
i get the first result "--mac-source must be speficied"
|
|
|
12-22-2013, 01:12 AM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Could you post the output of:
Code:
iptables --version
uname -rm
|
|
|
12-22-2013, 01:13 PM
|
#5
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Code:
3.10.10-1-ARCH x86_64
|
|
|
12-22-2013, 01:21 PM
|
#6
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
The tools are certainly recent enough, and the kernel is from late August this year.
Support for the MAC match may still be missing in the kernel. This should tell you:
Code:
zcat /proc/config.gz | grep MATCH_MAC
It should return "CONFIG_NETFILTER_XT_MATCH_MAC=m" or "CONFIG_NETFILTER_XT_MATCH_MAC=y".
|
|
|
12-22-2013, 01:27 PM
|
#7
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Code:
CONFIG_NETFILTER_XT_MATCH_MAC=m
so it's apparently loaded by a module.... lsmod definitely shows x_tables loaded
Code:
Module Size Used by
tun 19528 2
xt_conntrack 3265 2
iptable_filter 1488 1
ipt_MASQUERADE 2154 2
xt_nat 1969 1
xt_tcpudp 3143 4
iptable_nat 3358 1
nf_conntrack_ipv4 9262 3
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 14964 4 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,iptable_nat
nf_conntrack 71841 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
ip_tables 17282 2 iptable_filter,iptable_nat
x_tables 17351 6 ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_conntrack,xt_nat,iptable_filter
nv_tco 4936 0
nouveau 962981 1
mxm_wmi 1467 1 nouveau
wmi 8283 2 mxm_wmi,nouveau
video 11328 1 nouveau
ttm 65388 1 nouveau
drm_kms_helper 35438 1 nouveau
drm 231168 3 ttm,drm_kms_helper,nouveau
i2c_algo_bit 5391 1 nouveau
i2c_nforce2 5711 0
i2c_core 23720 5 drm,drm_kms_helper,i2c_algo_bit,nouveau,i2c_nforce2
8139too 25335 0
powernow_k8 17310 1
kvm_amd 52151 0
forcedeth 57617 0
kvm 376394 1 kvm_amd
edac_core 44137 0
psmouse 85132 0
8139cp 22133 0
evdev 9880 2
edac_mce_amd 13054 0
pcspkr 2027 0
serio_raw 5041 0
k8temp 3506 0
mii 4027 2 8139cp,8139too
fan 2753 0
processor 27755 1 powernow_k8
thermal 8620 0
button 4669 1 nouveau
ext4 456475 2
crc16 1359 1 ext4
mbcache 5866 1 ext4
jbd2 81946 1 ext4
sd_mod 30730 4
ata_generic 3370 0
pata_acpi 3387 0
firewire_ohci 31869 0
firewire_core 51955 1 firewire_ohci
crc_itu_t 1363 1 firewire_core
sata_nv 21039 3
ehci_pci 4120 0
ohci_hcd 26544 0
ehci_hcd 47704 1 ehci_pci
libata 171016 3 pata_acpi,sata_nv,ata_generic
usbcore 177183 3 ohci_hcd,ehci_hcd,ehci_pci
scsi_mod 127772 2 libata,sd_mod
usb_common 1648 1 usbcore
|
|
|
12-22-2013, 01:48 PM
|
#8
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
That's odd; there should be a module called xt_mac listed as depending on x_tables. On my system, it gets loaded automatically when I create an iptables rule with a "mac" match criteria.
Can you load it manually with modprobe xt_mac?
|
|
|
12-22-2013, 02:01 PM
|
#9
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
tried loading the module but it won't load.... no error of any kind, modprobe xt_mac gives no output but lsmod doesn't show it afterwards.... very strange
|
|
|
12-22-2013, 02:10 PM
|
#10
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
If it's not in the lsmod list, then it wasn't successfully loaded. Anything in the logs? (dmesg, /var/log/messages, /var/log/syslog?)
Can you reinstall the kernel modules, either from source or by using a package manager?
|
|
|
12-22-2013, 02:23 PM
|
#11
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
no no logs at all.
this is a remote VPN server/router at my buddy's house, i'm prolly gonna wait till i can have physical access before trying to reload any kernel stuff
|
|
|
All times are GMT -5. The time now is 11:49 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|