IP Tables Error

When I restart iptables, I am getting the following error. Learned from this forum, that I need to change the kernel, which i did..not working good.

[[email protected]**** ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]
[[email protected]**** ~]# uname -a
Linux **** 2.6.38-linode31 #1 SMP Mon Mar 21 21:22:33 UTC 2011 i686 i686 i386 GNU/Linux

Running Centos 32-bit.

Your suggestions are highly appreciated..thank you!

51 Replies

try this http://www.linode.com/wiki/index.php/Ce … BFAILED.5D">http://www.linode.com/wiki/index.php/CentOS#TIP:Loadingadditionaliptaablesmodules_.5BFAILED.5D

thank you..that did fixed the netbios error..however, the first error still remains.

Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]

I should really have my cuppa tea before reading these posts so I read the whole thing….

Anyway can you put the content of your /etc/sysconfig/iptables file in http://pastebin.linode.com/ then post the link please.

Thank you!!!!

But, what have I done? I rebooted the linode..When I used the Lish console, here is the error message.

IPv4 over IPv4 tunneling driver                                                                     
GRE over IPv4 tunneling driver                                                                      
ip_conntrack version 2.4 (8192 buckets, 65536 max) - 228 bytes per conntrack                        
ip_conntrack_pptp version 3.1 loaded                                                                
ip_nat_pptp version 3.0 loaded                                                                      
ip_tables: (C) 2000-2006 Netfilter Core Team                                                        
TCP bic registered                                                                                  
Initializing IPsec netlink socket                                                                   
NET: Registered protocol family 1                                                                   
NET: Registered protocol family 10                                                                  
lo: Disabled Privacy Extensions                                                                     
IPv6 over IPv4 tunneling driver                                                                     
ip6_tables: (C) 2000-2006 Netfilter Core Team                                                       
NET: Registered protocol family 17                                                                  
NET: Registered protocol family 15                                                                  
Bridge firewalling registered                                                                       
Ebtables v2.0 registered                                                                            
ebt_ulog: not logging via ulog since somebody else already registered for PF_BRIDGE                 
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>All bugs added by David S. Miller <[email protected]>SCTP: Hash tables configured (established 65536 bind 65536)                                         
Using IPI Shortcut mode                                                                             
XENBUS: Device with no driver: device/console/0                                                     
md: Autodetecting RAID arrays.                                                                      
md: autorun ...                                                                                     
md: ... autorun DONE.                                                                               
kjournald starting.  Commit interval 5 seconds                                                      
EXT3-fs: mounted filesystem with ordered data mode.                                                 
VFS: Mounted root (ext3 filesystem) readonly.                                                       
Freeing unused kernel memory: 224k freed                                                            
Warning: unable to open an initial console.</[email protected]></[email protected]> 

The Kernel is Latest 2.6 Legacy (2.6.18.8-linode22)

CentOS 32 bit.

I did nothing except changing the kernel as mentioned in the other thread…:( :) :)

I believe the latest version of centos requires the paravirt kernel (not positive though), switch back and provide the contents of /etc/sysconfig/iptables at http://pastebin.linode.com/

can you pastebin the contents of /etc/init.d/iptables as well (sorry forgot)

FYKI, I am trying to run openvpn and pptp…Everytime I start the server, the iptables settings are not executed.

I don't know if this is related, but

[[email protected]*** etc]# modprobe ppp-compress-18 && echo ok
FATAL: Module ppp_mppe not found.

copy this into a file http://pastebin.linode.com/5191 and run

patch -p1 < filename

if it asks for a file choose /etc/init.d/iptables (replace filename in the command with the name of the file you saved it to). That will patch your init script.

@ obs…You are a genius..Thanks a lot. :)

[[email protected]*** ~]# nano ipfix
[[email protected]*** ~]# patch -p1 < ipfix
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- iptables.old    2011-04-20 17:08:49.000000000 -0400
|+++ iptables    2011-04-20 17:09:17.000000000 -0400
--------------------------
File to patch: /etc/init.d/iptables
patching file /etc/init.d/iptables
[[email protected]*** ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: security raw nat mangle fi[  OK  ]
Applying iptables firewall rules:                          [  OK  ]

Np goes and pokes linode to update their distro

@obs:

goes and pokes linode to update their distro

Looks like it is a part of the iptables package in CentOS, so you probably want to poke either CentOS or Red Hat to fix it.

I installed centos locally first and that doesn't suffer from the problem so it seems to be a linode only problem.

@obs:

I installed centos locally first and that doesn't suffer from the problem so it seems to be a linode only problem.

I have this problem too on CentOS 5.6, but I have it only if I boot with the latest paravirt kernel 2.6.38, no problem if I boot with the legacy one 2.6.18.

[[email protected]**** ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED] 

Sincerely I haven't understood what is the problem and how to solve it.

Apply this patch http://pastebin.linode.com/5191 to /etc/init.d/iptables

@obs:

Apply this patch http://pastebin.linode.com/5191 to /etc/init.d/iptables

I have just applyed the patch, restarted my CentoOS 5.6 with the latest paravirt 2.6.38 but on boot I can read this error:

Settings chains to policy ACCEPT: security raw mangle filter [FAILED]

Thanks for the help, I appreciate it.

Odd worked for someone else and myself, can you put the contents of your /etc/init.d/iptables in pastebin.linode.com

@obs:

Odd worked for someone else and myself, can you put the contents of your /etc/init.d/iptables in pastebin.linode.com

Done:

http://pastebin.linode.com/5199

Well it's patched ok without looking at the server I'm not sure what's wrong.

@obs:

Well it's patched ok without looking at the server I'm not sure what's wrong.

If I manually restart iptables with

service iptables restart

I get no error.

But on boot I can see this:

![](" />

That's just plain weird, I don't have a centos system handy to test this on right now either :/

no one else with this problem?

You can see this problem only on boot because if you restart iptables manually, no error is displayed.

I would like to have an answer from Linode since this is a problem of most users here running CentOS.

Thanks.

Hi all, Sorry to hijack such an old thread

I've attempted to apply the same patch here, this is the exact contents of the file

--- iptables.new    2011-04-21 14:04:21.000000000 +0100
+++ iptables    2011-04-21 14:05:44.000000000 +0100
@@ -119,7 +119,13 @@
     ret=0
     for i in $tables; do
         echo -n "$i "
-        case "$i" in
+        case "$i" in
+       security)
+                    $IPTABLES -t security -P INPUT $policy \
+                    && $IPTABLES -t security -P OUTPUT $policy \
+                    && $IPTABLES -t security -P FORWARD $policy \
+                   || let ret+=1
+                ;;
             raw)
                 $IPTABLES -t raw -P PREROUTING $policy \
                     && $IPTABLES -t raw -P OUTPUT $policy \

This is as per the download button on this paste file. On a fresh install of Centos 5.6.

The patch runs, but comes up to the following

missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- iptables.new    2011-04-21 14:04:21.000000000 +0100
|+++ iptables    2011-04-21 14:05:44.000000000 +0100
--------------------------
File to patch: /etc/init.d/iptables
patching file /etc/init.d/iptables
Hunk #1 FAILED at 119.
1 out of 1 hunk FAILED -- saving rejects to file /etc/init.d/iptables.rej

Any ideas here at all?

It means /etc/init.d/iptables is different compared to the one I made the patch for, post the contents of it into pastebin.linode.com and post the url here

oops sorry, I thought I had updated this, I fixed this one myself eventually, looking at the config, everything was the same but it just refused to add the extra entry, I manually added it, and everything generally worked, I still have the profile but need to boot it if you'd like to see what else is different, as it's only the additional lines I added

(could be good for reference?)

If adding the lines manually worked then don't worry about it :) Linode already know about this issue so hopefully it'll be fixed in the distro soon.

Does anyone know of an updated patch? The pastebin link doesn't work anymore and I'm still having this issue.

Thanks!

Put a copy of your /etc/init.d/iptables script in pastebin.linode.com and I'll make a new patch

Thanks, that would be great!

http://pastebin.linode.com/5350

Do you have any tips or know of any guides on learning how to do this myself?

Try this

http://db.tt/wgvN7Dy

Let me know if it works.

Thanks for the patch!

Sorry for the noob question, but I'm not sure how to use it. Could you point me in the right direction please?

Thank you

run patch -p1 < /pathtopatch

The patch ran successfully (after I specified which file to patch); but did not seem to fix the issue.

After restarting iptables, I got:

/etc/init.d/iptables: line 125: syntax error near unexpected token `&&'

/etc/init.d/iptables: line 125: ` && $IPTABLES -t security -P OUTPUT $policy \ '

Here is the current iptables file (after patching): http://pastebin.linode.com/5376

Thank you for your continued help!

Some trailing whitespace crept in oops!

I've updated the patch, and just for webmonkey here's a patch to fix your broken iptables script http://db.tt/zYuD1lk

It works! I repatched it and corrected the 'ipconntracknetbios_n' issue (just like the first post in this thread) and now I can restart iptables just fine.

Much thanks obs!

Would this same patch work for Ubuntu? I'm having the same issue on a different Linode server.

No it wouldn't work on ubuntu your issue there will be something different.

this problem is present also in CentOS 6 :shock:

The link to the patch is broken and I have the problem also on a fresh new CentOS 6.

@sblantipodi:

this problem is present also in CentOS 6 :shock:

The link to the patch is broken and I have the problem also on a fresh new CentOS 6.

Whoops must have moved the file, here's a link http://db.tt/wgvN7Dy

I've not tried it on centos6

@obs:

@sblantipodi:

this problem is present also in CentOS 6 :shock:

The link to the patch is broken and I have the problem also on a fresh new CentOS 6.

Whoops must have moved the file, here's a link http://db.tt/wgvN7Dy

I've not tried it on centos6

can you do it please?

I want to be sure that it will work ok.

thanks.

I would like to see a patch from linode guys since they gived us a fresh new VPS with this error from start :)

Is it asking too much?

this is what this excellent support answered:
> Hello,

Thank you for contacting us! The issue you are experiencing with iptables is happening due to our paravirt kernel having a "security" chain compiled into it, and the default "iptables" init script included with CentOS does not know how to handle it. You are able to resolve this issue by downloading an amended version of the "iptables" init script. Please issue the following commands as the "root" user:

cd /etc/init.d

mv iptables ~/iptables.bak

wget http://epoxie.net/12023.txt && cat 12023.txt | tr -d '\r' > iptables

chmod +x iptables

rm -rf 12023.txt

Now, "iptables" should now start successfully:

service iptables restart

If there is anything else we can do for you, please let us know.

Regards,

Fixed the problem, thank you Linode support!!!

Unfortunately I'm running into the same issue on a minty fresh install of CentOS and the link on epoxie.net is dead… does anyone have a working /etc/init.d/iptables script they'd be willing to share?

Mine still exists https://www.dropbox.com/s/nrbvbe2veypdq … bles.patch">https://www.dropbox.com/s/nrbvbe2veypdqz6/centos.iptables.patch dunno if it still works, this was for centos 5.x

obs, thank you so much! that resolved the issue. I hadn't tried your solution as I ended up here by googling 12023.txt trying to go that route…

for anyone else with the issue, get obs patch file and run:

patch -u /etc/init.d/iptables centos.iptables.patch

Worked like a charm! Thanks again!

@obs:

Mine still exists https://www.dropbox.com/s/nrbvbe2veypdq … bles.patch">https://www.dropbox.com/s/nrbvbe2veypdqz6/centos.iptables.patch dunno if it still works, this was for centos 5.x

Thank you very much. Its working fine.

I just noticed the same error.

iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

Is this something I should be that concerned about? The "rules apply" so doesn't seem like a big deal?

Hi,

I am getting a similar error with my CentOS 6.4. Could you please place that patch again?

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

Regards,

Jayadevan

This worked for me on a new Centos 64bit linode.

Thanks!

on line (or about line) 142 of /etc/init.d/iptables there will be a for loop that looks something like this.

142 for i in $tables; do

143 echo -n "$i "

144 case "$i" in

145 raw)

146 $IPTABLES -t raw -P PREROUTING $policy \

147 && $IPTABLES -t raw -P OUTPUT $policy \

148 || let ret+=1

149 ;;

150 filter)

151 $IPTABLES -t filter -P INPUT $policy \

152 && $IPTABLES -t filter -P OUTPUT $policy \

153 && $IPTABLES -t filter -P FORWARD $policy \

154 || let ret+=1

155 ;;

156 nat)

157 $IPTABLES -t nat -P PREROUTING $policy \

158 && $IPTABLES -t nat -P POSTROUTING $policy \

159 && $IPTABLES -t nat -P OUTPUT $policy \

160 || let ret+=1

161 ;;

162 mangle)

163 $IPTABLES -t mangle -P PREROUTING $policy \

164 && $IPTABLES -t mangle -P POSTROUTING $policy \

165 && $IPTABLES -t mangle -P INPUT $policy \

166 && $IPTABLES -t mangle -P OUTPUT $policy \

167 && $IPTABLES -t mangle -P FORWARD $policy \

168 || let ret+=1

169 ;;

170 *)

171 let ret+=1

172 ;;

173 esac

174 done

you will need to add entries to this file

security)

$IPTABLES -t filter -P INPUT $policy \

&& $IPTABLES -t filter -P OUTPUT $policy \

&& $IPTABLES -t filter -P FORWARD $policy \

|| let ret+=1

;;

that will get rid of the error message

142 for i in $tables; do

143 echo -n "$i "

144 case "$i" in

145 security)

146 $IPTABLES -t filter -P INPUT $policy \

147 && $IPTABLES -t filter -P OUTPUT $policy \

148 && $IPTABLES -t filter -P FORWARD $policy \

149 || let ret+=1

150 ;;

151 raw)

152 $IPTABLES -t raw -P PREROUTING $policy \

153 && $IPTABLES -t raw -P OUTPUT $policy \

154 || let ret+=1

155 ;;

156 filter)

157 $IPTABLES -t filter -P INPUT $policy \

158 && $IPTABLES -t filter -P OUTPUT $policy \

159 && $IPTABLES -t filter -P FORWARD $policy \

160 || let ret+=1

161 ;;

162 nat)

163 $IPTABLES -t nat -P PREROUTING $policy \

164 && $IPTABLES -t nat -P POSTROUTING $policy \

165 && $IPTABLES -t nat -P OUTPUT $policy \

166 || let ret+=1

167 ;;

168 mangle)

169 $IPTABLES -t mangle -P PREROUTING $policy \

170 && $IPTABLES -t mangle -P POSTROUTING $policy \

171 && $IPTABLES -t mangle -P INPUT $policy \

172 && $IPTABLES -t mangle -P OUTPUT $policy \

173 && $IPTABLES -t mangle -P FORWARD $policy \

174 || let ret+=1

175 ;;

176 *)

177 let ret+=1

178 ;;

179 esac

180 done

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct