WR841N Couldn't load match `string/// iptables: No chain/target/match by that name

Xameleon07 · October 16, 2020, 6:26pm

Hello colleagues, there is a TP-link WR841N firmware OpenWrt 19.07.3 r11063-85e04e9f46
I run the team with Putty

iptables -I FORWARD -s 192.168.1.146 -p udp --dport 27000: 27200

writes

root @ OpenWrt: ~ # iptables v1.8.3 (legacy): Couldn't load match `string ': No such file or directory

how to solve the problem?)

vgaetera · October 16, 2020, 6:52pm

https://openwrt.org/packages/pkgdata/iptables-mod-filter

Also remove extra spaces.

Xameleon07 · October 16, 2020, 6:55pm

Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for iptables-mod-filter:
 * 	kernel (= 4.14.180-1-a92ce55d841785d45d31bc9fd28a9e0f)
 * opkg_install_cmd: Cannot install package iptables-mod-filter.
The *opkg install*  command failed with code `255` .

vgaetera · October 16, 2020, 6:56pm

Xameleon07 · October 16, 2020, 6:58pm

ok i instaled. I have now problem

Package kmod-ipt-filter (4.14.180-1) installed in root is up to date.
root@OpenWrt:~# opkg install iptables-mod-filter
Package iptables-mod-filter (1.8.3-1) installed in root is up to date.
root@OpenWrt:~# iptables -I FORWARD -s 192.168.1.146 -p udp --dport 27506:27265 --match string --algo kmp --hex-string '|73 84 85 61 5d 69
64 3a 37 37 3a 39|' -j DROP
iptables: No chain/target/match by that name.

Xameleon07 · October 17, 2020, 9:30am

Hello))) nowbody to help?

Xameleon07 · October 17, 2020, 9:47am

root@OpenWrt:~# opkg install xt_string
Unknown package 'xt_string'.
Collected errors:

opkg_install_cmd: Cannot install package xt_string.
root@OpenWrt:~#

Xameleon07 · October 17, 2020, 9:57am

root@OpenWrt:~# -m state
-ash: -m: not found
root@OpenWrt:~# iptables -m state -h
iptables v1.8.3 (legacy): Couldn't load match `state':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@OpenWrt:~# iptables -p icmp -h
iptables v1.8.3

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. tcp' [!] --source -s address[/mask][...] source specification [!] --destination -d address[/mask][...] destination specification [!] --in-interface -i input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --goto -g chain jump to chain with no return --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports [!] --out-interface -o output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe= try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

icmp match options:
[!] --icmp-type typename match icmp type
[!] --icmp-type type[/code] (or numeric type or type/code)
Valid ICMP Types:
any
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
root@OpenWrt:~# iptables -j DROP -h
iptables v1.8.3

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. tcp' [!] --source -s address[/mask][...] source specification [!] --destination -d address[/mask][...] destination specification [!] --in-interface -i input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --goto -g chain jump to chain with no return --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports [!] --out-interface -o output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe= try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

standard match options:
(If target is DROP, ACCEPT, RETURN or nothing)
root@OpenWrt:~#

Xameleon07 · October 17, 2020, 10:07am

How to inst iptables -m state? Help pliz)))

vgaetera · October 17, 2020, 10:13am

Post the output:

opkg list-installed iptables-mod-filter
insmod xt_string

Xameleon07 · October 17, 2020, 10:15am

root@OpenWrt:~# opkg list-installed iptables-mod-filter
iptables-mod-filter - 1.8.3-1
root@OpenWrt:~# insmod xt_string
module is already loaded - xt_string
root@OpenWrt:~#

Xameleon07 · October 17, 2020, 10:16am

root@OpenWrt:~# iptables -I FORWARD -s 192.168.1.146 -p udp --dport 27506:27265 --match string --algo kmp --hex-string '|73 84 85 61 5d 69
64 3a 37 37 3a 39|' -j DROP
iptables: No chain/target/match by that name.

Xameleon07 · October 17, 2020, 10:29am

root@OpenWrt:~# opkg list-installed iptables-mod-filter
iptables-mod-filter - 1.8.3-1
root@OpenWrt:~# insmod xt_string
module is already loaded - xt_string
root@OpenWrt:~# iptables -I FORWARD -s 192.168.1.146 -p udp --dport 27506:27265 --match string --algo kmp --hex-string '|73 84 85 61 5d 69
64 3a 37 37 3a 39|' -j DROP
iptables: No chain/target/match by that name.
root@OpenWrt:~#

vgaetera · October 17, 2020, 10:51am

Actually your rule works for me.
If you have built OpenWrt from source, you have probably missed some essential iptables/netfilter modules.
Otherwise I have no idea why it is not working for you.

Xameleon07 · October 17, 2020, 11:00am

how to find missed some essential iptables/netfilter modules.?

vgaetera · October 17, 2020, 11:06am

Compare with yours:

# opkg list-installed | grep -e ^kmod-ipt- -e ^kmod-nf-
kmod-ipt-conntrack - 4.14.187-1
kmod-ipt-core - 4.14.187-1
kmod-ipt-nat - 4.14.187-1
kmod-ipt-offload - 4.14.187-1
kmod-nf-conntrack - 4.14.187-1
kmod-nf-conntrack6 - 4.14.187-1
kmod-nf-flow - 4.14.187-1
kmod-nf-ipt - 4.14.187-1
kmod-nf-ipt6 - 4.14.187-1
kmod-nf-nat - 4.14.187-1
kmod-nf-reject - 4.14.187-1
kmod-nf-reject6 - 4.14.187-1

Xameleon07 · October 18, 2020, 4:01pm

root@OpenWrt:~# opkg list-installed
base-files - 204.2-r11063-85e04e9f46
busybox - 1.30.1-5
cgi-io - 19
dnsmasq - 2.80-16.1
dropbear - 2019.78-2
firewall - 2019-11-22-8174814a-1
fstools - 2020-05-12-84269037-1
fwtool - 2
getrandom - 2019-06-16-4df34a4d-3
hostapd-common - 2019-08-08-ca8c2bd2-3
ip6tables - 1.8.3-1
iptables - 1.8.3-1
iptables-mod-filter - 1.8.3-1
iw - 5.0.1-1
iwinfo - 2019-10-16-07315b6f-1
jshn - 2020-02-27-7da66430-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 4.14.180-1-d1395bd0165e8f53cb75b896fafd3695
kmod-ath - 4.14.180+4.19.120-1-1
kmod-ath9k - 4.14.180+4.19.120-1-1
kmod-ath9k-common - 4.14.180+4.19.120-1-1
kmod-atm - 4.14.180-1
kmod-cfg80211 - 4.14.180+4.19.120-1-1
kmod-crypto-aead - 4.14.180-1
kmod-crypto-ecb - 4.14.180-1
kmod-crypto-hash - 4.14.180-1
kmod-crypto-manager - 4.14.180-1
kmod-crypto-null - 4.14.180-1
kmod-crypto-pcompress - 4.14.180-1
kmod-crypto-sha1 - 4.14.180-1
kmod-gpio-button-hotplug - 4.14.180-3
kmod-gre - 4.14.180-1
kmod-ip6tables - 4.14.180-1
kmod-ipt-conntrack - 4.14.180-1
kmod-ipt-core - 4.14.180-1
kmod-ipt-filter - 4.14.180-1
kmod-ipt-nat - 4.14.180-1
kmod-ipt-offload - 4.14.180-1
kmod-iptunnel - 4.14.180-1
kmod-l2tp - 4.14.180-1
kmod-lib-crc-ccitt - 4.14.180-1
kmod-mac80211 - 4.14.180+4.19.120-1-1
kmod-mppe - 4.14.180-1
kmod-nf-conntrack - 4.14.180-1
kmod-nf-conntrack6 - 4.14.180-1
kmod-nf-flow - 4.14.180-1
kmod-nf-ipt - 4.14.180-1
kmod-nf-ipt6 - 4.14.180-1
kmod-nf-nat - 4.14.180-1
kmod-nf-reject - 4.14.180-1
kmod-nf-reject6 - 4.14.180-1
kmod-ppp - 4.14.180-1
kmod-pppoa - 4.14.180-1
kmod-pppoe - 4.14.180-1
kmod-pppol2tp - 4.14.180-1
kmod-pppox - 4.14.180-1
kmod-pptp - 4.14.180-1
kmod-slhc - 4.14.180-1
kmod-udptunnel4 - 4.14.180-1
kmod-udptunnel6 - 4.14.180-1
libblobmsg-json - 2020-02-27-7da66430-1
libc - 1.1.24-2
libgcc1 - 7.5.0-2
libip4tc2 - 1.8.3-1
libip6tc2 - 1.8.3-1
libiwinfo-lua - 2019-10-16-07315b6f-1
libiwinfo20181126 - 2019-10-16-07315b6f-1
libjson-c2 - 0.12.1-3.1
libjson-script - 2020-02-27-7da66430-1
liblua5.1.5 - 5.1.5-3
liblucihttp-lua - 2019-07-05-a34a17d5-1
liblucihttp0 - 2019-07-05-a34a17d5-1
libnl-tiny - 0.1-5
libpthread - 1.1.24-2
libubox20191228 - 2020-02-27-7da66430-1
libubus-lua - 2019-12-27-041c9d1c-1
libubus20191227 - 2019-12-27-041c9d1c-1
libuci20130104 - 2019-09-01-415f9e48-3
libuclient20160123 - 2019-05-30-3b3e368d-1
libxtables12 - 1.8.3-1
linux-atm - 2.5.2-7
logd - 2019-06-16-4df34a4d-3
lua - 5.1.5-3
luci - git-20.136.49537-fb2f363-1
luci-app-firewall - git-20.136.49537-fb2f363-1
luci-app-opkg - git-20.136.49537-fb2f363-1
luci-base - git-20.136.49537-fb2f363-1
luci-lib-ip - git-20.136.49537-fb2f363-1
luci-lib-jsonc - git-20.136.49537-fb2f363-1
luci-lib-nixio - git-20.136.49537-fb2f363-1
luci-mod-admin-full - git-20.136.49537-fb2f363-1
luci-mod-network - git-20.136.49537-fb2f363-1
luci-mod-status - git-20.136.49537-fb2f363-1
luci-mod-system - git-20.136.49537-fb2f363-1
luci-proto-ipv6 - git-20.136.49537-fb2f363-1
luci-proto-ppp - git-20.136.49537-fb2f363-1
luci-theme-bootstrap - git-20.136.49537-fb2f363-1
mtd - 24
netifd - 2019-08-05-5e02f944-1
odhcp6c - 2019-01-11-e199804b-16
odhcpd-ipv6only - 2020-05-03-49e4949c-3
openwrt-keyring - 2019-07-25-8080ef34-1
opkg - 2020-05-07-f2166a89-1
ppp - 2.4.7.git-2019-05-25-3
ppp-mod-pppoe - 2.4.7.git-2019-05-25-3
ppp-mod-pptp - 2.4.7.git-2019-05-25-3
procd - 2020-03-07-09b9bd82-1
resolveip - 2
rpcd - 2019-12-10-aaa08366-2
rpcd-mod-file - 2019-12-10-aaa08366-2
rpcd-mod-iwinfo - 2019-12-10-aaa08366-2
rpcd-mod-luci - 20191114
rpcd-mod-rrdns - 20170710
swconfig - 12
uboot-envtools - 2018.03-3
ubox - 2019-06-16-4df34a4d-3
ubus - 2019-12-27-041c9d1c-1
ubusd - 2019-12-27-041c9d1c-1
uci - 2019-09-01-415f9e48-3
uclient-fetch - 2019-05-30-3b3e368d-1
uhttpd - 2020-03-13-975dce23-1
urandom-seed - 1.0-1
urngd - 2020-01-21-c7f7b6b6-1
usign - 2019-08-06-5a52b379-1
wireless-regdb - 2019.06.03-1
wpad-mini - 2019-08-08-ca8c2bd2-3
zlib - 1.2.11-3
root@OpenWrt:~#