Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Wireguard iptables kill switch: No chain/target/match
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jtalowell
n00b
n00b


Joined: 16 Feb 2019
Posts: 8

PostPosted: Sun May 05, 2019 8:15 am    Post subject: Wireguard iptables kill switch: No chain/target/match Reply with quote

In advance: I don't know much about networking and I don't know much about iptables. Please be patient with me.
I have wireguard installed:
Code:

*  net-vpn/wireguard
      Latest version available: 0.0.20190406
      Latest version installed: 0.0.20190406

It is loaded:
Code:

$ lsmod | grep wireguard
wireguard             204800  0

Wireguard on its own works fine as far as I can tell. I want to use the iptables kill switch that my service, Mullvad, provides. However, whenever I try to use wg-quick with the provided generated config I get the following output.
Code:

 * Starting Wireguard Interface ...
[#] ip link add mullvad-au1 type wireguard
[#] wg setconf mullvad-au1 /dev/fd/63
[#] ip address add 10.99.65.118/32 dev mullvad-au1
[#] ip address add fc00:bbbb:bbbb:bb01::4176/128 dev mullvad-au1
[#] ip link set mtu 1420 up dev mullvad-au1
[#] resolvconf -a mullvad-au1 -m 0 -x
[#] wg set mullvad-au1 fwmark 51820
[#] ip -6 route add ::/0 dev mullvad-au1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev mullvad-au1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
iptables: No chain/target/match by that name.
[#] resolvconf -d mullvad-au1
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev mullvad-au1                                                         [ !! ]
 * ERROR: mullvad-au1 failed to start

I do not get this error on Fedora. I didn't get this error on a previous Gentoo machine. I suspect I'm missing a kernel option but as far as I can tell, I have enabled everything the wiki specifies.
My kernel configuration can be found here.
Does anyone know why this might happen or how I should go ahead debugging?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun May 05, 2019 9:14 am    Post subject: Reply with quote

jtalowell,

Welcome to Gentoo.

The bit that fails is
Code:
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
which is actually two commands.

Code:
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Those two commands actually do the same thing, once for IPv4 and once for IPv6

After the commands have failed, run them one at a time (as root), just as I have split them up.

Wild guess ... you don't have IPv6 support or IPv6 firewall support in the kernel, so the first one works and the second one fails.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jtalowell
n00b
n00b


Joined: 16 Feb 2019
Posts: 8

PostPosted: Sun May 05, 2019 11:59 am    Post subject: Reply with quote

Thanks for the welcome!

NeddySeagoon wrote:

The bit that fails is
Code:
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
which is actually two commands.

Code:
iptables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
ip6tables -I OUTPUT ! -o mullvad-au1 -m mark ! --mark $(wg show mullvad-au1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Those two commands actually do the same thing, once for IPv4 and once for IPv6

After the commands have failed, run them one at a time (as root), just as I have split them up.

Wild guess ... you don't have IPv6 support or IPv6 firewall support in the kernel, so the first one works and the second one fails.

Based on your guess I've checked and can confirm that I get the same error for both IPv4 and IPv6.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun May 05, 2019 12:23 pm    Post subject: Reply with quote

jtalowell,

Make friends with wgetpaste and put your kernel .config onto a pastebin site.

Tell us how you made your kernel too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jtalowell
n00b
n00b


Joined: 16 Feb 2019
Posts: 8

PostPosted: Sun May 05, 2019 12:41 pm    Post subject: Reply with quote

NeddySeagoon wrote:

Make friends with wgetpaste and put your kernel .config onto a pastebin site.

Is there something wrong with the raw Github link I provided in the original post?
wgetpaste of kernel config as requested: https://bpaste.net/show/46854bbb2623.

I'm not sure exactly what you mean by how I made the kernel.

I used
Code:
$ make localmodconfig

from a Gentoo live usb before enabling specific things.
I build the kernel using the following commands.

Code:

$ make -j9
$ make modules_install
$ make install
$ genkernel --lvm --luks --install initramfs
$ emerge @module-rebuild
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun May 05, 2019 1:23 pm    Post subject: Reply with quote

jtalowell,

I must have been low on caffeine when I read your original post. I missed the kernel config and the iptables in
Code:
iptables: No chain/target/match by that name.
.
That its not ip6table says the error in IPv4 related.
To compound that the && means that the second command only runs if the fist succeeds. That's three errors. Sorry about that.

Your kernel has
Code:
CONFIG_NF_REJECT_IPV4=y
CONFIG_IP_NF_TARGET_REJECT=y
...
CONFIG_NF_REJECT_IPV6=y
CONFIG_IP6_NF_TARGET_REJECT=y


So you have the REJECT targets. The OUTPUT chain is free. Its one of the fundamental INPUT, OUTPUT and FORWARD chains.
That leaves a problem with the match.

Indeed, your MARK options in the kernel are off.

-- edit --

The reason for asking an open question about the kernel build process is that many users use genkernel, which has known shortcomings, which can all be worked around if you know about them.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jtalowell
n00b
n00b


Joined: 16 Feb 2019
Posts: 8

PostPosted: Sun May 05, 2019 11:56 pm    Post subject: Reply with quote

NeddySeagoon wrote:

Indeed, your MARK options in the kernel are off.


Thank you! This was the problem. After enabling this in the kernel I don't have any issues.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum