View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions IPTables
Log in to Ask a Question

IPTables

networking

I'm having a problem (below) when I try to start iptables.

[root@s1 ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
[root@s1 ~]#

Can anyone help?

Thanks,

Michael

15 Replies

You've defined a non-existent table in your iptables configuration. There's no iptable-table named "security". Those rules should be moved into filter, nat, or mangle (most likely filter).

@Jay:

You've defined a non-existent table in your iptables configuration. There's no iptable-table named "security". Those rules should be moved into filter, nat, or mangle (most likely filter).

How do I remove it?

Nevermind, fixed

The fix, at least for me, was to switch from the 2.6 paravirt kernel to the latest 2.6 stable. There's an issue with the paravirt kernel that Linode's Build team are aware of but there is no ETA on if/when there will be a resolution.

Terry

I get this error as well. I cannot figure out how to "fix" the error in my iptables configuration since I don't even use the word security. I'm running the paravirt kernel. Is there a risk to ignoring the error and letting iptables run as is?

I asked the same question and it wasn't really answered. This is what I received from support:

"The issue is that the "Latest 2.6 Paravirt" kernel has a "security" chain and iptables doesn't know how to handle it. Usually switching to the "Latest 2.6 Stable" kernel resolves the issue without any further tweaking of the iptables init script (it often just ignores that chain and starts normally). Our builds team is indeed aware of this problem, however I do not have an ETA on if/when it will be resolved.

It is perfectly fine to continue using our "Latest 2.6 Stable" kernel – this kernel was actually the default selection for CentOS deployments until recently. No applications, with the exception of iptables, will operate differently when using the stable kernel."

So not really an answer if you can use the paravirt kernel without a problem. If you find out the answer, please post.

Note that if you execute an iptables-save while using the paravirt kernel, it will save a security chain in the /etc/sysconfig/iptables file so upon start-up with the 2.6 stable kernel, iptables will try to load a security chain and will really fail.

Terry

I'm having the same issue when switched to latest 2.6 paravirt, no solution yet?

Just deployed Cent OS 6 and ran into this problem again with latest paravirt. Found this on the web.

http://impactservices.in/content/iptabl … ter-failed">http://impactservices.in/content/iptables-error-setting-chains-policy-accept-security-raw-nat-mangle-filter-failed

Haven't tried it out yet. Not sure if it will screw anything else up. Anyone found a fix for this yet or has tried this out?

Thanks,

Terry

cd /etc/init.d

mv iptables ~/iptables.bak

wget http://epoxie.net/12023.txt && cat 12023.txt | tr -d '\r' > iptables

chmod +x iptables

rm -rf 12023.txt

Now, "iptables" should now start successfully:

service iptables restart

EDIT: I don't have this error with the latest paravirt kernel 3

Hi,

I tried with the latest paravirt 3 and I still get the same error.

Terry

@troublshootr:

I tried with the latest paravirt 3 and I still get the same error.

It is a bug in CentOS, not in the kernel itself, so I wouldn't anticipate newer kernels changing much.

@hoopycat:

@troublshootr:

I tried with the latest paravirt 3 and I still get the same error.

It is a bug in CentOS, not in the kernel itself, so I wouldn't anticipate newer kernels changing much.

I don't consider it a bug in CentOS since it happen only with linode kernel and some other one.

So the bug doesn't happen if you download the latest mainline kernel from kernel.org, compile it using a reasonably-similar configuration (e.g. from /proc/config.gz on a Linode), and boot with it on normal hardware? If it doesn't happen, I will retract my statement just as soon as I finish eating my hat.

@hoopycat:

So the bug doesn't happen if you download the latest mainline kernel from kernel.org, compile it using a reasonably-similar configuration (e.g. from /proc/config.gz on a Linode), and boot with it on normal hardware? If it doesn't happen, I will retract my statement just as soon as I finish eating my hat.

I don't have tested it with similar configuration of the linode one so I can't answer.

I am seeing this exact same error now on my freshly minted 64bit install….so I am sorry for pulling something dead out the ground.

Any chance you could repost the solution to this problem as I am only just starting out with Linux/HP-UX (migrating from Windows) administration and the pastebin links are dead?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct