Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[UNSOLVABLE] arno-iptables-firewall errors out
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 100

PostPosted: Sun Nov 02, 2014 2:40 am    Post subject: [UNSOLVABLE] arno-iptables-firewall errors out Reply with quote

I am setting up firewall on a single-user machine. Most conservative settings. No externally visible daemons like sshd. arno-iptables-firewall gives the following output (see below). It's asking for some elusive modules called xt_limit|ipt_limit,ip6t_limit and xt_multiport|ipt_multiport,ip6t_multiport, WHICH I CANNOT FIND. Somebody please clue me in where they might be in menuconfig. arno-firewall eventually bombs but leaves a few rules scattered around (see below),

The output from ip6tables -L -n ends with "POST_INPUT_DROP_CHAIN all ::/0 ::/0 state INVALID"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$ uname -r
3.16.5-gentoo

$ journalctl
arno-iptables-firewall[2641]: Arno's Iptables Firewall Script v2.0.1e
arno-iptables-firewall[2641]: -------------------------------------------------------------------------------
arno-iptables-firewall[2641]: Platform: Linux 3.16.5-gentoo x86_64
arno-iptables-firewall[2641]: Stopping (user) plugins...
arno-iptables-firewall[2641]: Checking/probing Iptables modules:
arno-iptables-firewall[2641]: Loaded kernel module ip_tables.
arno-iptables-firewall[2641]: Loaded kernel module ip6_tables.
arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack.
arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack_ipv6.
arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack_ftp.
arno-iptables-firewall[2641]: Loaded kernel module xt_conntrack.
arno-iptables-firewall[2641]: WARNING: Modules "xt_limit|ipt_limit,ip6t_limit" failed to load. Assuming compiled-in-kernel.
arno-iptables-firewall[2641]: Loaded kernel module xt_state.
arno-iptables-firewall[2641]: WARNING: Modules "xt_multiport|ipt_multiport,ip6t_multiport" failed to load. Assuming compiled-in-kernel.
arno-iptables-firewall[2641]: Loaded kernel module iptable_filter.
arno-iptables-firewall[2641]: Loaded kernel module ip6table_filter.
arno-iptables-firewall[2641]: Loaded kernel module iptable_mangle.
arno-iptables-firewall[2641]: Loaded kernel module ip6table_mangle.
arno-iptables-firewall[2641]: Loaded kernel module ipt_REJECT.
arno-iptables-firewall[2641]: Loaded kernel module ip6t_REJECT.
arno-iptables-firewall[2641]: Loaded kernel module xt_LOG.
arno-iptables-firewall[2641]: Loaded kernel module xt_TCPMSS.
arno-iptables-firewall[2641]: Loaded kernel module iptable_nat.
arno-iptables-firewall[2641]: Module check done...
arno-iptables-firewall[2641]: Configuring general kernel parameters:
arno-iptables-firewall[2641]: Setting the max. amount of simultaneous connections to 16384
arno-iptables-firewall[2641]: net.nf_conntrack_max = 16384
arno-iptables-firewall[2641]: net.netfilter.nf_conntrack_udp_timeout = 60
arno-iptables-firewall[2641]: net.netfilter.nf_conntrack_acct = 1
arno-iptables-firewall[2641]: Configuring kernel parameters:
arno-iptables-firewall[2641]: Disabling send redirects
arno-iptables-firewall[2641]: net.ipv4.conf.all.send_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.default.send_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.send_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.lo.send_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.send_redirects = 0
arno-iptables-firewall[2641]: Enabling protection against source routed packets
arno-iptables-firewall[2641]: net.ipv4.conf.all.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv4.conf.default.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv4.conf.lo.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_source_route = 0
arno-iptables-firewall[2641]: net.ipv4.icmp_echo_ignore_broadcasts = 1
arno-iptables-firewall[2641]: net.ipv4.icmp_ignore_bogus_error_responses = 1
arno-iptables-firewall[2641]: Enabling packet forwarding
arno-iptables-firewall[2641]: net.ipv4.conf.all.forwarding = 1
arno-iptables-firewall[2641]: net.ipv4.conf.default.forwarding = 1
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.forwarding = 1
arno-iptables-firewall[2641]: net.ipv4.conf.lo.forwarding = 1
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.forwarding = 1
arno-iptables-firewall[2641]: net.ipv6.conf.all.forwarding = 1
arno-iptables-firewall[2641]: net.ipv6.conf.default.forwarding = 1
arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.forwarding = 1
arno-iptables-firewall[2641]: net.ipv6.conf.lo.forwarding = 1
arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.forwarding = 1
arno-iptables-firewall[2641]: Disabling Local IPv6 Auto-Configuration
arno-iptables-firewall[2641]: net.ipv6.conf.all.autoconf = 0
arno-iptables-firewall[2641]: net.ipv6.conf.default.autoconf = 0
arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.autoconf = 0
arno-iptables-firewall[2641]: net.ipv6.conf.lo.autoconf = 0
arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.autoconf = 0
arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_ra = 0
arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_ra = 0
arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_ra = 0
arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_ra = 0
arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_ra = 0
arno-iptables-firewall[2641]: Setting some kernel performance options
arno-iptables-firewall[2641]: net.ipv4.tcp_window_scaling = 1
arno-iptables-firewall[2641]: net.ipv4.tcp_timestamps = 1
arno-iptables-firewall[2641]: net.ipv4.tcp_sack = 1
arno-iptables-firewall[2641]: net.ipv4.tcp_dsack = 1
arno-iptables-firewall[2641]: net.ipv4.tcp_fack = 1
arno-iptables-firewall[2641]: net.ipv4.tcp_low_latency = 0
arno-iptables-firewall[2641]: Enabling reduction of the DoS'ing ability
arno-iptables-firewall[2641]: net.ipv4.tcp_fin_timeout = 30
arno-iptables-firewall[2641]: net.ipv4.tcp_keepalive_time = 1800
arno-iptables-firewall[2641]: net.ipv4.tcp_syn_retries = 3
arno-iptables-firewall[2641]: net.ipv4.tcp_synack_retries = 2
arno-iptables-firewall[2641]: net.ipv4.tcp_rfc1337 = 1
arno-iptables-firewall[2641]: net.ipv4.ip_local_port_range = 32768 61000
arno-iptables-firewall[2641]: Enabling SYN-flood protection via SYN-cookies
arno-iptables-firewall[2641]: net.ipv4.tcp_syncookies = 1
arno-iptables-firewall[2641]: Enabling anti-spoof with rp_filter
arno-iptables-firewall[2641]: net.ipv4.conf.all.rp_filter = 1
arno-iptables-firewall[2641]: net.ipv4.conf.default.rp_filter = 1
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.rp_filter = 1
arno-iptables-firewall[2641]: net.ipv4.conf.lo.rp_filter = 1
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.rp_filter = 1
arno-iptables-firewall[2641]: net.ipv4.icmp_echo_ignore_all = 0
arno-iptables-firewall[2641]: Disabling the logging of martians
arno-iptables-firewall[2641]: net.ipv4.conf.all.log_martians = 0
arno-iptables-firewall[2641]: net.ipv4.conf.default.log_martians = 0
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.log_martians = 0
arno-iptables-firewall[2641]: net.ipv4.conf.lo.log_martians = 0
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.log_martians = 0
arno-iptables-firewall[2641]: Disabling the acception of ICMP-redirect messages
arno-iptables-firewall[2641]: net.ipv4.conf.all.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.default.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.lo.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_redirects = 0
arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_redirects = 0
arno-iptables-firewall[2641]: Disabling ECN (Explicit Congestion Notification)
arno-iptables-firewall[2641]: net.ipv4.tcp_ecn = 0
arno-iptables-firewall[2641]: Enabling kernel support for dynamic IPs
arno-iptables-firewall[2641]: net.ipv4.ip_dynaddr = 1
arno-iptables-firewall[2641]: Enabling PMTU discovery
arno-iptables-firewall[2641]: net.ipv4.ip_no_pmtu_disc = 0
arno-iptables-firewall[2641]: Setting default TTL=64
arno-iptables-firewall[2641]: net.ipv4.ip_default_ttl = 64
arno-iptables-firewall[2641]: Flushing route table
arno-iptables-firewall[2641]: net.ipv4.route.flush = 1
arno-iptables-firewall[2641]: net.ipv6.route.flush = 1
arno-iptables-firewall[2641]: Kernel setup done...
arno-iptables-firewall[2641]: Reinitializing firewall chains
arno-iptables-firewall[2641]: Setting all default policies to DROP while "setting up firewall rules"
arno-iptables-firewall[2641]: IPv4/IPv6 mixed mode selected
arno-iptables-firewall[2641]: /sbin/iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Blocked host(s):
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Blocked host(s):
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Dropped Link-Local:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Using loglevel "info" for syslogd
arno-iptables-firewall[2641]: Setting up firewall rules:
arno-iptables-firewall[2641]: -------------------------------------------------------------------------------
arno-iptables-firewall[2641]: Enabling setting the maximum packet size via MSS
arno-iptables-firewall[2641]: Logging of stealth scans (nmap probes etc.) enabled
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-PSH scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-PSH scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-ALL scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-ALL scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth FIN scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth FIN scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/RST scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/RST scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/FIN scan?:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/FIN scan?:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth Null scan:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth Null scan:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of packets with bad TCP-flags enabled
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-option 64 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(64):
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-option 64 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(64):
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-option 128 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(128):
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-option 128 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(128):
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of INVALID TCP packets disabled
arno-iptables-firewall[2641]: Logging of INVALID UDP packets disabled
arno-iptables-firewall[2641]: Logging of INVALID ICMP packets disabled
arno-iptables-firewall[2641]: Logging of fragmented packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix AIF:Fragment packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of access from reserved nets disabled
arno-iptables-firewall[2641]: Reading custom rules from /etc/arno-iptables-firewall/custom-rules
arno-iptables-firewall[2641]: Checking for (user) plugins in /usr/libexec/arno-iptables-firewall/plugins...
arno-iptables-firewall[2641]: Loaded 0 plugin(s)...
arno-iptables-firewall[2641]: /sbin/iptables -A OUTPUT -f -m limit --limit 3/m -j LOG --log-level info --log-prefix AIF:Fragment packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Setting up external(INET) INPUT policy
arno-iptables-firewall[2641]: Logging of ICMP flooding enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-unreachable flood:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type destination-unreachable -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-unreachable flood:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-time-exceeded fld:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type time-exceeded -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-time-exceeded fld:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-param-problem fld:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type parameter-problem -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-param-problem fld:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request(ping) fld:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request(ping) fld:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-reply(pong) flood:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type echo-reply -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-reply(pong) flood:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-source-quench fld:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-packet-too-big fld:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP(other) flood:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP(other) flood:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:TCP source port 0:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:TCP source port 0:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:UDP source port 0:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:UDP source port 0:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Enabling support for DHCP-assigned-IP (DHCP client)
arno-iptables-firewall[2641]: Logging of explicitly blocked hosts enabled
arno-iptables-firewall[2641]: Logging of denied local output connections enabled
arno-iptables-firewall[2641]: Packets will NOT be checked for reserved source addresses
arno-iptables-firewall[2641]: Denying ANYHOST to send IPv4 ICMP-requests (ping)
arno-iptables-firewall[2641]: Allowing ANYHOST to send IPv6 ICMPv6-requests
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of possible stealth scans enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (UNPRIV):
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (UNPRIV):
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (PRIV):
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (PRIV):
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of (other) packets to PRIVILEGED TCP ports enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP multicast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP multicast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP broadcast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP broadcast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of (other) packets to PRIVILEGED UDP ports enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP multicast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP multicast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP broadcast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP broadcast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of (other) packets to UNPRIVILEGED TCP ports enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP multicast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP multicast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP broadcast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP broadcast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of (other) packets to UNPRIVILEGED UDP ports enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP multicast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP multicast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP broadcast:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP broadcast:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of IGMP packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p 2 -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:IGMP packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of dropped ICMP-request(ping) packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-request:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-request:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of dropped other ICMP packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p icmp ! --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-other:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 ! --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-other:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p icmp ! --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-other:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p icmpv6 ! --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-other:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Other connect:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Other connect:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Setting up external(INET) OUTPUT policy
arno-iptables-firewall[2641]: Applying external(INET) policy to interface: enp4s0f2 (without an external subnet specified)
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -i enp4s0f2 -p icmp -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Applying external(INET) policy to interface: wlp3s0 (without an external subnet specified)
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -i wlp3s0 -p icmp -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -m limit --limit 1/s -j LOG --log-level info --log-prefix AIF:Dropped INPUT packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -m limit --limit 1/s -j LOG --log-level info --log-prefix AIF:Dropped INPUT packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Security is ENFORCED for external interface(s) in the FORWARD chain
arno-iptables-firewall[2641]: Logging of dropped FORWARD packets enabled
arno-iptables-firewall[2641]: /sbin/iptables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level info --log-prefix AIF:Dropped FORWARD packet:
arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.
arno-iptables-firewall[2641]: /sbin/ip6tables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level info --log-prefix AIF:Dropped FORWARD packet:
arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.
arno-iptables-firewall[2641]: Nov 01 20:17:23 WARNING: Not all firewall rules are applied.
systemd[1]: arno-iptables-firewall.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Unit arno-iptables-firewall.service entered failed state.


$ ip6tables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
BASE_INPUT_CHAIN all ::/0 ::/0
INPUT_CHAIN all ::/0 ::/0
HOST_BLOCK_SRC all ::/0 ::/0
SPOOF_CHK all ::/0 ::/0
VALID_CHK all ::/0 ::/0
EXT_INPUT_CHAIN !icmpv6 ::/0 ::/0 state NEW
EXT_ICMP_FLOOD_CHAIN icmpv6 ::/0 ::/0 state NEW
VALID_CHK all ::/0 ::/0
EXT_INPUT_CHAIN !icmpv6 ::/0 ::/0 state NEW
EXT_ICMP_FLOOD_CHAIN icmpv6 ::/0 ::/0 state NEW
POST_INPUT_CHAIN all ::/0 ::/0
DROP all ::/0 ::/0

Chain FORWARD (policy DROP)
target prot opt source destination
BASE_FORWARD_CHAIN all ::/0 ::/0
TCPMSS tcp ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
TCPMSS tcp ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
FORWARD_CHAIN all ::/0 ::/0
HOST_BLOCK_SRC all ::/0 ::/0
HOST_BLOCK_DST all ::/0 ::/0
LINK_LOCAL_DROP all fe80::/10 ::/0
LINK_LOCAL_DROP all ::/0 fe80::/10
EXT_FORWARD_IN_CHAIN all ::/0 ::/0
EXT_FORWARD_OUT_CHAIN all ::/0 ::/0
EXT_FORWARD_IN_CHAIN all ::/0 ::/0
EXT_FORWARD_OUT_CHAIN all ::/0 ::/0
SPOOF_CHK all ::/0 ::/0
POST_FORWARD_CHAIN all ::/0 ::/0
DROP all ::/0 ::/0

Chain OUTPUT (policy DROP)
target prot opt source destination
BASE_OUTPUT_CHAIN all ::/0 ::/0
TCPMSS tcp ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
TCPMSS tcp ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
OUTPUT_CHAIN all ::/0 ::/0
HOST_BLOCK_DST all ::/0 ::/0
EXT_OUTPUT_CHAIN all ::/0 ::/0
EXT_OUTPUT_CHAIN all ::/0 ::/0
POST_OUTPUT_CHAIN all ::/0 ::/0
ACCEPT all ::/0 ::/0

Chain BASE_FORWARD_CHAIN (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0 state ESTABLISHED
ACCEPT tcp ::/0 ::/0 state RELATED tcp dpts:1024:65535
ACCEPT udp ::/0 ::/0 state RELATED udp dpts:1024:65535
ACCEPT icmpv6 ::/0 ::/0 state RELATED
ACCEPT all ::/0 ::/0

Chain BASE_INPUT_CHAIN (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0 state ESTABLISHED
ACCEPT tcp ::/0 ::/0 state RELATED tcp dpts:1024:65535
ACCEPT udp ::/0 ::/0 state RELATED udp dpts:1024:65535
ACCEPT icmpv6 ::/0 ::/0 state RELATED
ACCEPT all ::/0 ::/0

Chain BASE_OUTPUT_CHAIN (1 references)
target prot opt source destination
ACCEPT all ::/0 ::/0 state ESTABLISHED
ACCEPT all ::/0 ::/0

Chain DMZ_FORWARD_IN_CHAIN (0 references)
target prot opt source destination

Chain DMZ_FORWARD_OUT_CHAIN (0 references)
target prot opt source destination

Chain DMZ_INET_FORWARD_CHAIN (0 references)
target prot opt source destination

Chain DMZ_INPUT_CHAIN (0 references)
target prot opt source destination

Chain DMZ_LAN_FORWARD_CHAIN (0 references)
target prot opt source destination

Chain DMZ_OUTPUT_CHAIN (0 references)
target prot opt source destination

Chain EXT_BROADCAST_CHAIN (0 references)
target prot opt source destination
DROP all ::/0 ::/0

Chain EXT_FORWARD_IN_CHAIN (2 references)
target prot opt source destination
VALID_CHK all ::/0 ::/0

Chain EXT_FORWARD_OUT_CHAIN (2 references)
target prot opt source destination

Chain EXT_ICMP_FLOOD_CHAIN (2 references)
target prot opt source destination
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 1
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 3
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 4
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 128
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 129
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0 ipv6-icmptype 2
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0

Chain EXT_INPUT_CHAIN (2 references)
target prot opt source destination
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp dpt:0
POST_INPUT_DROP_CHAIN udp ::/0 ::/0 udp dpt:0
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp spt:0
POST_INPUT_DROP_CHAIN udp ::/0 ::/0 udp spt:0
ACCEPT udp ::/0 ::/0 udp spt:547 dpt:546
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:!0x17/0x02
EXT_MULTICAST_CHAIN all ::/0 ff00::/8
POST_INPUT_CHAIN all ::/0 ::/0
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0
POST_INPUT_DROP_CHAIN udp ::/0 ::/0
POST_INPUT_DROP_CHAIN icmpv6 ::/0 ::/0
POST_INPUT_DROP_CHAIN all ::/0 ::/0

Chain EXT_MULTICAST_CHAIN (1 references)
target prot opt source destination
DROP all ::/0 ::/0

Chain EXT_OUTPUT_CHAIN (2 references)
target prot opt source destination

Chain FORWARD_CHAIN (1 references)
target prot opt source destination

Chain HOST_BLOCK_DROP (0 references)
target prot opt source destination
DROP all ::/0 ::/0

Chain HOST_BLOCK_DST (2 references)
target prot opt source destination

Chain HOST_BLOCK_SRC (2 references)
target prot opt source destination

Chain INET_DMZ_FORWARD_CHAIN (0 references)
target prot opt source destination

Chain INPUT_CHAIN (1 references)
target prot opt source destination

Chain INT_FORWARD_IN_CHAIN (0 references)
target prot opt source destination

Chain INT_FORWARD_OUT_CHAIN (0 references)
target prot opt source destination

Chain INT_INPUT_CHAIN (0 references)
target prot opt source destination

Chain INT_OUTPUT_CHAIN (0 references)
target prot opt source destination

Chain LAN_INET_FORWARD_CHAIN (0 references)
target prot opt source destination

Chain LINK_LOCAL_DROP (2 references)
target prot opt source destination
DROP all ::/0 ::/0

Chain OUTPUT_CHAIN (1 references)
target prot opt source destination

Chain POST_FORWARD_CHAIN (1 references)
target prot opt source destination

Chain POST_INPUT_CHAIN (2 references)
target prot opt source destination

Chain POST_INPUT_DROP_CHAIN (26 references)
target prot opt source destination
DROP all ::/0 ::/0

Chain POST_OUTPUT_CHAIN (1 references)
target prot opt source destination

Chain RESERVED_NET_CHK (0 references)
target prot opt source destination

Chain SPOOF_CHK (2 references)
target prot opt source destination
RETURN all ::/0 ::/0

Chain VALID_CHK (3 references)
target prot opt source destination
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x3F/0x29
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x3F/0x37
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x3F/0x3F
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x3F/0x01
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x06/0x06
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x03/0x03
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp flags:0x3F/0x00
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp option=64
POST_INPUT_DROP_CHAIN tcp ::/0 ::/0 tcp option=128
POST_INPUT_DROP_CHAIN all ::/0 ::/0 state INVALID


Last edited by NP_complete on Mon Nov 03, 2014 3:02 pm; edited 2 times in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13504

PostPosted: Sun Nov 02, 2014 3:21 pm    Post subject: Reply with quote

You should probably not use that script. It commits one of the most basic errors of iptables maintenance: non-atomic rule loads. That is why it leaves a mess in your loaded rules when it fails to load some changes. If you still want to use it, you probably want NETFILTER_XT_MATCH_LIMIT and NETFILTER_XT_MATCH_MULTIPORT.
Back to top
View user's profile Send private message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 100

PostPosted: Sun Nov 02, 2014 3:39 pm    Post subject: Reply with quote

Hu,

Thanks much for the reply.

1. Which iptables loader would you recommend? See, my first move was to get firewalld running, but its GUI relies on python-2. (There may be a good clean Gentoo way of hooking it up with python-2... I'm not sure).

2. Unless you disagree, NETFILTER_XT_MATCH_LIMIT and NETFILTER_XT_MATCH_MULTIPORT are necessary regardless, if the firewall is to be fully functional. No?


Many thanks.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13504

PostPosted: Sun Nov 02, 2014 4:37 pm    Post subject: Reply with quote

I recommend using iptables-restore to load the rules into the system. You can safely use any front-end that relies on that, and the result will be an atomic load.

Those are necessary for the firewall as you are currently trying to configure it. They are not necessary for all possible firewalls, and it may be possible to build a firewall without them that still satisfies your basic requirements.
Back to top
View user's profile Send private message
NP_complete
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2009
Posts: 100

PostPosted: Mon Nov 03, 2014 1:39 pm    Post subject: Reply with quote

I'm gonna follow the advice and go with iptables-restore; arno-iptables-firewall does need the two modules. No way around that, however many config file parameters you turn off. I've done some reading: these modules are good against DOS attacks on servers, but for an end-user box with no externally accessible daemons, they are completely extraneous. I'm uninstalling the package.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum