You need to figure out which part of the rule is causing that error message. It’s probably the -m state part, but not necessarily. The various extensions to iptables and netfilter have to be compiled into the iptables userspace binary and into netfilter in the Linux kernel. You can determine which part you are missing by asking iptables for the help information on the extension you are testing. Here are some ways to test for the various extensions:

$ iptables -m state -h
$ iptables -p icmp -h
$ iptables -j DROP -h

If you get help output that includes information about the extension at the very bottom of the output, then it is compiled into the userspace binary. If not, then you need to recompile iptables. If that works, try the simplest possible rule to see if the extension is included in the kernel space:

$ iptables -A INPUT -m state --state NEW
$ iptables -A INPUT -p icmp
$ iptables -A INPUT -j DROP

(Careful with those rules, the last one you’ll want to remove because it will probably DROP more than you want to!) When you get the error message again: No chain/target/match by that name you’ll know that particular extension is not compiled into your kernel. You’ll need to recompile your kernel.

Look through the make files in linux/net/ipv6/netfilter, linux/net/ipv4/netfilter, and linux/net/netfilter for options on enabling various extensions for the kernel. For the userspace, I think the make files in question are in iptables/extensions but I think the folder structure has changed a little in more recent versions.

Leave a Reply

Your email address will not be published. Required fields are marked *