Unable to set firewall rules inside container: "No chain/target/match by that name" : CloudBlue Technical Support

Symptoms

When trying to add an iptables rule inside a container, the operation results in an error similar to the following:

# iptables -t mangle -A PREROUTING -s x.x.x.x -j TTL --ttl-set 64
iptables: No chain/target/match by that name.

Cause

To be able to execute "action" rules, it is necessary to have the corresponding matching and target modules available inside the container. It is likely that the required matching or target module is not loaded on the node.

Resolution

Check matching and target modules available for the container in question and load the absent ones.

Example:

For the command iptables -t mangle -A PREROUTING -s x.x.x.x -j TTL --ttl-set 64:

[root@mycontainer ~]# cat /proc/net/ip_tables_matches
udp
tcp
conntrack
owner
connlimit
recent
helper
state
length
ttl
tcpmss
icmp
multiport
multiport
limit
tos

[root@mycontainer ~]# cat /proc/net/ip_tables_targets
REDIRECT
MASQUERADE
DNAT
SNAT
TCPMSS
ERROR
LOG
TOS
REJECT

For the command above, we need the matching module ttl (which is available) and target module TTL, which is not present.

In order to fix the issue, it is necessary to load the module on the node and restart the container:

[root@node ~]# modprobe ipt_TTL
[root@node ~]# vzctl restart CTID

In order to fix the issue permanently, it is necessary to add the required modules to load automatically. Refer to this article for more information:
Managing iptables modules in containers

Internal content

SYMPTOMS

Sometimes, when running an iptables command inside a container, one of following errors occurs:

iptables: Unknown error 4294967295
iptables: Unknown error 18446744073709551615
iptables: No chain/target/match by that name

CAUSE

Most likely, not all required iptables modules are loaded on the node itself and available for containers.

RESOLUTION

To identify which modules should be loaded on the node and enabled for containers, please follow the below instructions:

Save the list of loaded-on-the-node modules:

# lsmod | awk '/^ip|^nf|^xt/{print$1}' > file1

Next, run the iptables command that failed inside the container earlier on the node. This way, all required modules will be loaded on the node. Please remember to run only ALLOWING commands and only for NON-EXISTENT IP addresses, for example:
```
# iptables -t mangle -A PREROUTING -s 1.1.1.1 -j TTL --ttl-set 64
```
Save the list of loaded-on-the-node modules again:
```
# lsmod | awk '/^ip|^nf|^xt/{print$1}' > file2
```
Compare the differences between first and second lists:
```
# diff -puN file1 file2
```

In our example, when we run # iptables -t mangle -A PREROUTING -s 1.1.1.1 -j TTL --ttl-set 64, the result is:

    # diff -puN file1 file2 | grep ^+
    +++ file2       2012-05-10 11:56:36.000000000 -0700
    +ipt_TTL

i.e., module ipt_TTL was not loaded.

Next, add the modules you received in step 4 to /etc/sysconfig/iptables-config on the node so that they will be loaded each time automatically after a node reboot, and enable these modules for container running:

    # vzctl set CT_ID --save --iptables --<module1> --iptables --<module2>

Please keep in mind that you can allow the following modules:

    iptable_filter, ipt-able_mangle, ipt_limit, ipt_multiport, ipt_tos, ipt_TOS, ipt_REJECT, ipt_TCPMSS,  ipt_tcpmss, ipt_ttl, ipt_LOG, ipt_length, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, ipt_conntrack, ipt_state, ipt_helper, iptable_nat, ip_nat_ftp, ip_nat_irc, ipt_owner.

If the modules you got in step 4 are not in this list (for example, ipt_TTL), this means that there is no need to enable them for containers; they will be available for all containers automatically if they are loaded on the node.