[Firehol-support] Errors when running firehol

Phil Whineray phil at sanewall.org
Sat Jan 24 09:32:52 GMT 2015 

Jason

On Fri, Jan 23, 2015 at 05:17:18PM -0800, Jason Miller wrote:
> On 16:26 Fri 23 Jan     , Jason Miller wrote:
> > On 00:04 Sat 24 Jan     , Phil Whineray wrote:
> > > On Fri, Jan 23, 2015 at 03:26:16PM -0800, Jason Miller wrote:
> > > > Hi Phil,
> > > > On 22:58 Fri 23 Jan     , Phil Whineray wrote:
> > > > > Hi Jason
> > > > > 
> > > > > On Fri, Jan 23, 2015 at 02:09:44PM -0800, Jason Miller wrote:
> > > > > > I got a lot of errors the first time I tried running firehol 2.0:
> > > > > > 
> > > > > > 
> > > > > > iptables: No chain/target/match by that name.

I'm a bit stumped to be honest. We can try and simplify to the minimum
problem though.

If I clear any existing iptables, e.g.:
  firehol stop

This command is successful for me:
  /sbin/iptables -t filter -A OUTPUT -m conntrack --ctstate \
     ESTABLISHED,RELATED -m helper --helper ftp -j ACCEPT

I expect that the iptables command will fail for you with the same error
as reported via firehol.

You can then try to see if it is conntrack / ftp helper / both:
  /sbin/iptables -t filter -A OUTPUT -m conntrack --ctstate \
     ESTABLISHED,RELATED -j ACCEPT
  /sbin/iptables -t filter -A OUTPUT -m helper --helper ftp -j ACCEPT

Listing the tables, I can see all 3 rules (my output at the bottom):
  firehol status

Regards
Phil


--- MANGLE IPv4 ----------------------------------------------------------------

Chain PREROUTING (policy ACCEPT 14 packets, 2147 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 14 packets, 2147 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 3317 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 12 packets, 3317 bytes)
    pkts      bytes target     prot opt in     out     source               destination         


--- MANGLE IPv6 ----------------------------------------------------------------

Chain PREROUTING (policy ACCEPT 1 packets, 223 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1 packets, 223 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         


--- NAT IPv4 -------------------------------------------------------------------

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 69 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 69 bytes)
    pkts      bytes target     prot opt in     out     source               destination         


--- NAT IPv6 -------------------------------------------------------------------

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         


--- FILTER IPv4 ----------------------------------------------------------------

Chain INPUT (policy ACCEPT 5 packets, 748 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 138 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "ftp"
       3     1253 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            helper match "ftp"


--- FILTER IPv6 ----------------------------------------------------------------

Chain INPUT (policy ACCEPT 1 packets, 223 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

More information about the Firehol-support mailing list