LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-05-2009, 06:44 PM   #1
warrior1
LQ Newbie
 
Registered: Jul 2009
Distribution: CentOS
Posts: 2

Rep: Reputation: 0
iptables give error when LOG is the target


Hello,

Any help you can provide would be greatly appreciated.

I get the following messages when I try add a rule to iptables that contains "LOG" as the target, as follows:

# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
iptables: No chain/target/match by that name

# iptables -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP]: "
iptables: No chain/target/match by that name

I'm using CentOS


Code:
#vi iptables
*mangle
:PREROUTING ACCEPT [xxxxxxxxx:xxxxxxxxxx]
:INPUT ACCEPT [xxxxxxxxx:xxxxxxxxx]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [xxxxxxxxxxx:xxxxxxxxx]
:POSTROUTING ACCEPT [xxxxxxxxxxxx:xxxxxxxxxxx]
COMMIT
# Completed on Tue Aug  4 23:03:20 2009
# Generated by iptables-save v1.2.11 on Tue Aug  4 23:03:20 2009
*filter
:INPUT DROP [xxxxx:xxxxxx]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:572]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
:acctboth - [0:0]
:LOG_DROP - [0:0]
-A INPUT -j acctboth
-A INPUT -p icmp -j ACCEPT
-A INPUT -j VZ_INPUT
-A INPUT -s 95.108.196.250 -p tcp -j DROP
-A INPUT -s 218.0.0.0/254.0.0.0 -j DROP
-A INPUT -j LOG_DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j VZ_FORWARD
-A OUTPUT -j acctboth
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j VZ_OUTPUT
-A OUTPUT -j LOG_DROP
-A VZ_INPUT -s 58.0.0.0/254.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 60.0.0.0/254.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 112.0.0.0/248.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 120.0.0.0/252.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 124.0.0.0/254.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 220.0.0.0/254.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 222.0.0.0/254.0.0.0 -p tcp -j DROP
-A VZ_INPUT -s 95.108.128.0/255.255.128.0 -p tcp -j DROP
-A VZ_INPUT -p tcp -m tcp --dport xx:xx -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 2087 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 2096 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport xx -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_INPUT -s 72.29.89.38 -p tcp -j ACCEPT
-A VZ_INPUT -s 216.118.116.100 -p tcp -m tcp --dport 2089 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport xx:xx -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 43 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 465 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A VZ_OUTPUT -p tcp -j ACCEPT
-A VZ_OUTPUT -p udp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport xx -j ACCEPT
-A VZ_OUTPUT -d 216.118.116.100 -p tcp -m tcp --sport 2089 -j ACCEPT
-A VZ_OUTPUT -d 72.29.89.38 -p tcp -j ACCEPT
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --dport 25
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --sport 25
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --dport 110
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p tcp -m tcp --sport 110
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p icmp
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p icmp
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p tcp
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p tcp
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo -p udp
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo -p udp
-A acctboth -s xxx.xxx.xxx.xxx -i ! lo
-A acctboth -d xxx.xxx.xxx.xxx -i ! lo
-A acctboth -s xx.xx.xx.xx -i ! lo -p tcp -m tcp --dport 80
-A acctboth -d xx.xx.xx.xx -i ! lo -p tcp -m tcp --sport 80
-A acctboth -s xx.xx.xx.xx -i ! lo -p tcp -m tcp --dport 25
-A acctboth -d xx.xx.xx.xx -i ! lo -p tcp -m tcp --sport 25
-A acctboth -s xx.xx.xx.xx -i ! lo -p tcp -m tcp --dport 110
-A acctboth -d xx.xx.xx.xx -i ! lo -p tcp -m tcp --sport 110
-A acctboth -s xx.xx.xx.xx -i ! lo -p icmp
-A acctboth -d xx.xx.xx.xx -i ! lo -p icmp
-A acctboth -s xx.xx.xx.xx -i ! lo -p tcp
-A acctboth -d xx.xx.xx.xx -i ! lo -p tcp
-A acctboth -s xx.xx.xx.xx -i ! lo -p udp
-A acctboth -d xx.xx.xx.xx -i ! lo -p udp
-A acctboth -s xx.xx.xx.xx -i ! lo
-A acctboth -d xx.xx.xx.xx -i ! lo-p udp
-A acctboth -i ! lo
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP
COMMIT
iptables-restore < ./iptables
...fails unless I comment out the second to last rule ("-A LOG_DROP -j LOG...")

Quote:
#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
acctboth all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
VZ_INPUT all -- anywhere anywhere
DROP tcp -- porter047.yandex.ru anywhere
DROP all -- 218.0.0.0/7 anywhere
LOG_DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
VZ_FORWARD all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
acctboth all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
VZ_OUTPUT all -- anywhere anywhere
LOG_DROP all -- anywhere anywhere

Chain LOG_DROP (2 references)
target prot opt source destination

Chain VZ_FORWARD (1 references)
target prot opt source destination

Chain VZ_INPUT (1 references)
target prot opt source destination
DROP tcp -- ppp-net.infoweb.ne.jp/7 anywhere
DROP tcp -- 60.0.0.0/7 anywhere
DROP tcp -- 112.0.0.0/5 anywhere
DROP tcp -- 120.0.0.0/6 anywhere
DROP tcp -- 124.0.0.0/7 anywhere
DROP tcp -- softbank220000000000.bbtec.net/7 anywhere
DROP tcp -- 222.0.0.0/7 anywhere
DROP tcp -- 95.108.128.0/17 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:2087
ACCEPT tcp -- anywhere anywhere tcp dpt:2096
ACCEPT tcp -- anywhere anywhere tcp dpt:14792
ACCEPT tcp -- anywhere anywhere tcp dpts:32768:65535
ACCEPT udp -- anywhere anywhere udp dpts:32768:65535
ACCEPT tcp -- localhost localhost
ACCEPT udp -- localhost localhost
ACCEPT tcp -- 72-29-89-38.static.dimenoc.com anywhere
ACCEPT tcp -- 216.118.116.100 anywhere tcp dpt:2089

Chain VZ_OUTPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:nicname
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT tcp -- anywhere anywhere tcp spt:smtps
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:pop3s
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT tcp -- localhost localhost
ACCEPT udp -- localhost localhost
ACCEPT tcp -- anywhere anywhere tcp spt:14792
ACCEPT tcp -- anywhere 216.118.116.100 tcp spt:2089
ACCEPT tcp -- anywhere 72-29-89-38.static.dimenoc.com

Chain acctboth (2 references)
target prot opt source destination
tcp -- vpsxxxx.managemyvps.com anywhere tcp dpt:http
tcp -- anywhere vpsxxxx.managemyvps.com tcp spt:http
tcp -- vpsxxxx.managemyvps.com anywhere tcp dpt:smtp
tcp -- anywhere vpsxxxx.managemyvps.com tcp spt:smtp
tcp -- vpsxxxx.managemyvps.com anywhere tcp dpt:pop3
tcp -- anywhere vpsxxxx.managemyvps.com tcp spt:pop3
icmp -- vpsxxxx.managemyvps.com anywhere
icmp -- anywhere vpsxxxx.managemyvps.com
tcp -- vpsxxxx.managemyvps.com anywhere
tcp -- anywhere vpsxxxx.managemyvps.com
udp -- vpsxxxx.managemyvps.com anywhere
udp -- anywhere vpsxxxx.managemyvps.com
all -- vpsxxx.managemyvps.com anywhere
all -- anywhere vpsxxxx.managemyvps.com
tcp -- xx-xx-xxx-xxx.managemyvps.com anywhere tcp dpt:http
tcp -- anywhere xx-xx-xxx-xxx.managemyvps.com tcp spt:http
tcp -- xx-xx-xxx-xxx.managemyvps.com anywhere tcp dpt:smtp
tcp -- anywhere xx-xx-xxx-xxx.managemyvps.com tcp spt:smtp
tcp -- xx-xx-xxx-xxx.managemyvps.com anywhere tcp dpt:pop3
tcp -- anywhere xx-xx-xxx-xxx.managemyvps.com tcp spt:pop3
icmp -- xx-xx-xxx-xxx.managemyvps.com anywhere
icmp -- anywhere xx-xx-xxx-xxx.managemyvps.com
tcp -- xx-xx-xxx-xxx.managemyvps.com anywhere
tcp -- anywhere xx-xx-xxx-xxx.managemyvps.com
udp -- xx-xx-xxx-xxx.managemyvps.com anywhere
udp -- anywhere xx-xx-xxx-xxx.managemyvps.com
all -- xx-xx-xxx-xxx.managemyvps.com anywhere
all -- anywhere xx-xx-xxx-xxx.managemyvps.com
all -- anywhere anywhere
Any ideas why it will not take any rule with "LOG" as the target?
 
Old 08-07-2009, 07:44 AM   #2
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
I checked my CentOS and it looks like the module for the LOG target is not loaded by default. Try doing:

modprobe ipt_LOG

and then reloading your iptables.

If that works, add in loading that module into the boot process before you start the firewall.

Last edited by nuwen52; 08-07-2009 at 07:48 AM. Reason: grammar mistake
 
Old 08-08-2009, 01:09 AM   #3
warrior1
LQ Newbie
 
Registered: Jul 2009
Distribution: CentOS
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for you help Nuwen52.

[root@vpsxxxx ~]# modprobe ipt_LOG
FATAL: Could not load /lib/modules/2.6.9-023stab048.6-enterprise/modules.dep: No such file or directory

Any ideas?

I should have mentioned before the server is a Virtuozzo VPS, which probably means they've modified the OS to the point that it is not really CentOS anymore. I read somewhere that "modules are not supported" with Virtuozzo VPS. Not exactly sure what is meant by "not supported". Does that mean they won't help me figure it out or does it mean modules cannot be made to function on the VPS? I'm not sure if modules can be compiled or if they are already compiled. It seems that I get and error every time I enter a iptable rule that requires a module.

I'm also wanting to install APF, which also requires modules.

Thanks,
Kirk

Last edited by warrior1; 08-08-2009 at 10:34 AM.
 
Old 08-10-2009, 08:25 AM   #4
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
My guess is that they mean that modules can't be used. If they have that turned off in the kernel, then they probably have a reason for it. You should have the source for the kernel you are running. Kernel version can be found by a: uname -a

You probably don't want to turn on module support, since they made it a point to turn it off. So, you will have to recompile the kernel to make the LOG target work. What you are looking for is under:
networking -> networking options -> network packet filtering -> IP: netfilter configuration

That's where a lot of the target stuff is. Enable the LOG target into the kernel as built in and not a module (and others you may need) and recompile. Then follow the normal way of installing a new kernel (and, make a backup boot option for your old kernel, just in case). You should be able to google (or search here) for the full instructions for your version of the OS.

Not allowing modules makes things a little more difficult (and time consuming), but not impossible.

Last edited by nuwen52; 08-10-2009 at 08:47 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables trouble with DNAT target (bad argument error) Eightpock Linux - Software 9 06-16-2008 10:36 AM
"iptables: No chain/target/match by that name" error PennyroyalFrog Linux - Security 2 11-28-2004 01:57 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
Debian 3.0/r1 iptables LOG target not working markus1982 Linux - Distributions 5 05-25-2003 05:01 PM
Please give a simple sample about LOG in iptables! yuzuohong Linux - Networking 3 06-09-2002 11:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration