0

I'm currently working on a project of making an highly secured router with my RaspberryPi to navigate anonymously on the net. Yet, I'm not able to correctly transfer the Internet connection to the new server:

pi@raspberrypi:~ $ sudo iptables -t nat -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name.

After some research on the message error: It seems that maybe I forget to compile the module or forget to do a depmod (but I don't understand what does that mean...)

Indeed I did:

  • SSH connection to my Raspberry Pi: ssh [user]@[IP address]
  • installed the Dynamic Host Configuration Protocol sudo get-apt install hstapd isc-dhcp-server
  • configured DHCP by adding a # to the two options about domain name and suppressing # in front of the authoritative option seven lines under

  • adding

    subnet 192.168.42.0 netmask 255.255.255.0 { range 192.168.42.10 192.168.42.50; option broadcast-adress 192.168.42.255; option routers 192.168.42.1; default-lease-time 600; max-lease-time 7200; option domain-name "local"; option domain-name-servers 8.8.8.8, 8.8.4.4; }

to the file and saving it,

  • modified the DHCP server settings in order to be able to use it with a wireless adaptor: Interfaces ="wlan0"
  • set the Wifi adaptator with a static address an enabling it to receive incoming signals sudo nano /etc/network/interfaces adding a # to iface wlan 0 and to the following lines abiut anything connectod to wlan0

  • Gived to the interface a static IP address:

    iface wlan0 inet static address 192.168.XX.X netmask 255.255.255.0

saving.

  • Assign the wlan0 address 192.168.XX.X
  • creating the WLAN and configurating it
  • Modifying the Hostapd
  • Configurationg a NAT to do the network rooting.

  • Finally executing the two following commands to be sure that the connection has actually correctly been transfered:

    pi@raspberrypi:~ $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE pi@raspberrypi:~ $ sudo iptables -t nat -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name.

Revolucion for Monica
  • 145
  • 8
  • after boot, type `dmesg | grep eth` . You'll see something like this: `eth0 was changed to eth2`. Then edit `/etc/network/interfaces` and change eth0 to eth2. – Omid1989 Jun 01 '16 at 06:12
  • @Omid1989 Thank you for your answer, I had `:~ $ dmesg | grep eth [ 3.745981] smsc95xx 1-1.1:1.0 eth0: register 'smsc95xx' at usb-3f980000.usb-1.1, smsc95xx USB 2.0 Ethernet, b8:27:eb:c7:c5:66 [ 10.949785] smsc95xx 1-1.1:1.0 eth0: hardware isn't capable of remote wakeup [ 10.950104] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 12.529612] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 12.530777] smsc95xx 1-1.1:1.0 eth0: link up, 100Mbps, full-duplex, lpa 0xC5E1` So I changed `iface eth0 inet manual` to `iface eth2 inet manual` but still I have the problem... – Revolucion for Monica Jun 01 '16 at 09:40
  • according to the logs, there is no need to change it to eth2. So change it back to eth0. The log says `eth0: link becomes ready`, so it should connect to the internet. Remove the static address and netmask, and try again. – Omid1989 Jun 01 '16 at 10:00

1 Answers1

1

The error:

 iptables: No chain/target/match by that name

Some information from man iptables:

TABLES

filter:

This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

nat:

This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

And the command that generated the error with some indication of the cause, based on the documentation:

sudo iptables -t nat -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
                 ^^^    ^^^^^^^

So, as it says, there is no table nat with a chain FORWARD to do whatever it is you are intending to do there.

If you have not looked at iptables.info yet, BTW, it is worth doing some reading there. It has helped me in the past WRT using things such as hostapd and dhcpd (in an actual server context) -- although it does not talk about them directly, it does help to make sense of all those "Let's make a hotspot 1-2-3!" type blogs that are around which sometimes deal in cargo cult semantics. It never hurts to understand in detail what it is you are actually doing, even though this may seem like an impediment to rushing toward the 1-2-3 goal.

Unfortunately my own attitude toward networking on linux makes it difficult to offer other people specific advice about high level things, because I'm starting out from a fundamentally different perspective although really it is all the same software (such as iptables) involved.

Here's a couple of links from that site as examples of what I am talking about, that I think may be pertinent to your case:

And just reading down through the table of contents in the original link for a few minutes is worthwhile. To be a bit repetitive: If you are truly interested in doing this right you need to understand it, not just keep plugging away with the 1-2-3 type suggestions. This may require pushing the ultimate goal back a bit. That site is certainly hands down the best source of iptables related information on the internet and probably one of the best introductions to IP packet transfer protocols as well.

I am not claiming to be any kind of wizard with this stuff. You are more likely to find those people on Unix & Linux, just have your tish together and try to think about specific questions that can be generalized in a way that the answer might shed light on a mysterious issue too often glazed over by the 1-2-3 cargo cult blogs mentioned earlier.

Community
  • 1
goldilocks
  • 56,430
  • 17
  • 109
  • 217
  • Thank you for your answer! Still, I configurated a nat table with a chain forward by doing: `sudo nanao /etc/sysctl.conf` and added at the end of the file `net.ipv4.ip_forward=1`... – Revolucion for Monica Jun 01 '16 at 09:44
  • Okay. I don't have a complete solution for you, like I said the question is perhaps a bit too broad in that sense but I have given it the benefit of the doubt WRT to mod hammering it closed ;) I've also edited in a conceptual suggestion at the end, above. – goldilocks Jun 01 '16 at 12:32
  • Okay, I understand the "1-2-3" approach as the cargo cult engineering approach and indeed I follow a step by step guide to create my routeur which I don't unterstand perfectly. Still I understand that `net.ipv4.ip_forward=1` was a kind of intellectual piracy to force the table nat to have a chain forward. I started to read iptables.info, but I'm going to ask my question on Unix & Linux. Thanks for the help still, I upvoted – Revolucion for Monica Jun 02 '16 at 08:44
  • I don't know where you got that impression, but perhaps you want to go back and re-read it. `net.ipv4.ip_forward` does not "force the table nat to have a chain forward". It enables IP forwarding, which means the kernel (via iptables) can be configured to send incoming packets back out again. Generally this is from one interface to another, but it may also or instead be from one address to another, etc. If it is in a hotspot/access point context then the general case is to use `MASQUERADE` with the NAT table so that packets *sent back in response* from wherever: – goldilocks Jun 02 '16 at 09:06
  • 1) Get to this machine, 2) Are then forwarded correctly in the other direction. However, the FORWARD chain is part of the (default) filter table, not NAT. Put another way, here `iptables -t nat -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT` is (sort of) what you want to do **except for the `-t nat` part**. Also, if you do this you then you have to set up a bunch more forwarding rules in order to allow `ESTABLISHED,RELATED` connections to become such. You also have to allow packets forwarded in the other direction, so the easier thing to do initially is to: – goldilocks Jun 02 '16 at 09:07
  • 1) Forget the `-m state` stuff, and include another reverse rule, `FORWARD -wlan0 -eth0 -j ACCEPT` or (better yet) 2) Just set the default FORWARD chain policy (and for that matter the whole filter table) to ACCEPT. Then once you get that working for you you can start adding security oriented rules in. – goldilocks Jun 02 '16 at 09:07
  • Okay, so the command should be `iptables -t nat -A FORWARD -i eth0 -o wlan0 FORWARD -wlan0 -eth0 -j ACCEPT --state RELATED,ESTABLISHED -j ACCEPT`, isn't it? (I am not able to set the default FORWARD chain policy to ACCEPT). Yet it answers me: `Bad argument `FORWARD'` – Revolucion for Monica Jun 05 '16 at 13:56
  • No. Again as I said in the original answer, quoting the documentation, and as taken for granted in my last set of comments: *The NAT table has **no** FORWARD chain.* You cannot pretend there is. You cannot create one. Etc. This is the cause of your error. *The FORWARD chain is part of the (default) "filter" table*. As long as you insist on adding rules to a chain which does not exist, you will get the same error. Again, repeat to yourself as necessary: "The FORWARD chain is **not** part of the NAT table. The FORWARD chain is **not** part of the NAT table..." – goldilocks Jun 05 '16 at 14:00