Iptables & conntrack & ctstate

j.mingorance · February 13, 2023, 4:02pm

Hello everyone,

I am trying to append a rule to the firewall configuration by using the following command:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Unfortunately, this returns the following error:

iptables: No chain/target/match by that name.

Some information about the system:

iptables version: v1.6.1
iptables -m conntrack --help contains help about conntrack
Some configuration of /proc/config.gz:
- CONFIG_NETFILTER=y
- CONFIG_NETFILTER_NETLINK=y
- # CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

Do I have to activate any kernel option, or am I trying to append an invalid rule?

Thanks in advance.

VF61
Image version 2.8.6

alex.tx · February 13, 2023, 6:17pm

The error message you received indicates that the “conntrack” match module is not available on your system. This is likely because the kernel option CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set in your system’s configuration.

To resolve the issue, you need to ensure that this option is enabled in your system’s kernel configuration and then rebuild the kernel. Once the kernel is rebuilt, you should be able to use the “conntrack” match module in your iptables rules.

Alternatively, you can try using a different match module, such as “state”, which should be available on most systems:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT