Hi all

I have added the following rules to /etc/firewall_user

iptables -t nat -A prerouting_wan_rule -p tcp --dport 1234  -m state --state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds 180 --hitcount 5 -j DROP
iptables -t nat -A prerouting_wan_rule -p tcp --dport 1234  -m state --state NEW -m recent --name ATTACKER_SSH --rsource --set

When restarting the firewall I get the following error: 'iptables v1.4.21: Couldn't load match `recent':No such file or directory'.

I'm running on:

Firmware Version: OpenWrt Barrier Breaker 14.07-rc3 / LuCI Trunk (svn-r10467)
Kernel Version:    3.10.49

Any ideas what the error is here?

Thank you for your help!

Install iptables-mod-conntrack-extra.

Thank you!

The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. Using REJECT instead of DROP solves that problem.

I now get the following errors:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

Thx

You're trying to use a chain that doesn't exist?

You're right, when looking at the existing chains (iptables --list) I can't find it.

I can find it though in the documentation (http://wiki.openwrt.org/doc/uci/firewall): prerouting_name_rule (where name is to be replaced by the zone name.

You're looking at the wrong table. As you can see in the docs, those chains are in the "nat" table.

I have set '-t nat' so I'm using the nat-table ... or am I getting something completely wrong here?

# iptables -t nat -L | grep prerouting_
prerouting_rule  all  --  anywhere             anywhere             /* user chain for prerouting */
Chain prerouting_lan_rule (1 references)
Chain prerouting_rule (1 references)
Chain prerouting_tor_rule (1 references)
Chain prerouting_vpn_rule (1 references)
Chain prerouting_wan_rule (1 references)
prerouting_lan_rule  all  --  anywhere             anywhere             /* user chain for prerouting */
prerouting_tor_rule  all  --  anywhere             anywhere             /* user chain for prerouting */
prerouting_vpn_rule  all  --  anywhere             anywhere             /* user chain for prerouting */
prerouting_wan_rule  all  --  anywhere             anywhere             /* user chain for prerouting */

(Last edited by arokh on 7 Sep 2014, 21:12)

Thx. Yes I can see the prerouting_wan_rule like that. Why can't I then use

iptables -t nat -A prerouting_wan_rule -p tcp --dport 1234  -m state --state NEW -m recent --name ATTACKER_SSH --rsource --set

I've tried to use the filter table instead

iptables -t filter -A input_wan_rule  -p tcp --dport 1234  -m state --state NEW -m recent --name ATTACKER_SSH --rsource --set

I also get 'No chain/target/match by that name'

According to the error message, either chain, target or match is the problem. You know it's not the chain, and the rule doesn't specify target (means ACCEPT), so it's gotta be the match. Maybe missing another package?

Check that you have kmod-ipt-conntrack installed.

Thank you so much for your help. Sorry for my ignorance ... (I'm a iptables newbie,as you of course can tell) ... I don't really know how to proceed.

Yes, I have it installed.

The same command works for me. Do an "lsmod | grep xt_state" and check that you have xt_state loaded.

Yes, I have it.

The missing kernel module was xt_recent. After loading it my rule works.

Thx for your help!

Same for me, I just had to load the xt_recent module using 'insmod xt_recent' and it works.

Thank you for your help !