How to Fix “iptables: No chain/target/match by that name” Error When Blocking ICMP Ping


2 views

When working with custom-built iptables on embedded Linux systems, you might encounter this error while attempting to block ICMP traffic. The issue typically occurs when essential kernel modules or iptables extensions aren't properly loaded.

# This fails with the error
iptables -A INPUT -i eth0 -p icmp --icmp-type any -s 0/0 -d 10.20.3.179 \
-m state --state NEW,ESTABLISHED,RELATED -j DROP

The error suggests three potential missing components:

  • State match module (--state)
  • ICMP match support (--icmp-type)
  • Network interface filtering (-i eth0)

First check if your kernel has required modules:

# Check available kernel modules
lsmod | grep -E 'xt_state|nf_conntrack|iptable_filter'

If no output appears, you'll need to load them:

# Load necessary modules
modprobe nf_conntrack
modprobe xt_state
modprobe iptable_filter

Try this simplified version that doesn't rely on state tracking:

# Basic ICMP block rule
iptables -A INPUT -p icmp --icmp-type any -j DROP

If this works, it confirms the state module was the issue.

When building iptables from source, ensure these configure options are enabled:

./configure --enable-ipv4 --with-xtlibdir=/lib/xtables \
--enable-state --enable-icmp
make clean && make && make install

For embedded systems, add module loading at boot:

# /etc/modules-load.d/iptables.conf
nf_conntrack
xt_state
xt_conntrack
iptable_filter

After implementing fixes, verify with:

iptables -L INPUT -v -n
ping -c 1 your_server_ip  # Should timeout
  • Check kernel config for CONFIG_NETFILTER_XT_MATCH_STATE
  • Verify iptables-extensions man page exists
  • Test with tcpdump to see if packets reach the interface

When working with iptables on embedded Linux systems, you might encounter this error when trying to add specific rules. The primary trigger is typically related to missing kernel modules or incorrect rule syntax. Let's break down what's happening in your specific case:

iptables -A INPUT -i eth0 -p icmp --icmp-type any -s 0/0 -d 10.20.3.179 \
-m state --state NEW,ESTABLISHED,RELATED -j DROP

The most common root cause is that the required kernel modules aren't loaded. For stateful rules (-m state), you need these modules:

# Check loaded modules
lsmod | grep xt_

# Required modules for state matching
modprobe xt_state
modprobe nf_conntrack

Your iptables build might not include all extensions. Verify available matches:

iptables -m state --help
iptables -m conntrack --help

If these return errors, you'll need to:

# Rebuild iptables with CONFIG_IP_NF_MATCH_STATE
# Or use the newer conntrack module instead:
iptables -A INPUT -i eth0 -p icmp --icmp-type any \
-m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DROP

If rebuilding isn't an option, consider these alternatives:

Simpler ICMP Block Rule:

iptables -A INPUT -p icmp -j DROP

Using the conntrack Module:

modprobe nf_conntrack
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

For embedded systems, ensure these configurations are present in your kernel:

CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_MATCH_STATE=y

When facing this issue, follow this diagnostic process:

# 1. Check kernel config
zcat /proc/config.gz | grep -i state

# 2. Verify module availability
find /lib/modules/$(uname -r) -name '*state*'

# 3. Test with minimal rule
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

Here's a working implementation for an embedded router blocking ICMP while maintaining state:

#!/bin/sh
modprobe xt_state
modprobe nf_conntrack

iptables -N ICMP_FILTER
iptables -A INPUT -j ICMP_FILTER
iptables -A ICMP_FILTER -p icmp -m state \
--state NEW -j DROP
iptables -A ICMP_FILTER -p icmp -m state \
--state ESTABLISHED,RELATED -j ACCEPT