Home / ubuntu / Questions / 28215
In Process
user3215
Asked: 2011-02-27 09:42:36 +0800 CST

How can I fix the iptables error message "unable to initialize table 'filter'"?

  • 772

When I try to use iptables command on one of my Rackspace cloud server, I'm getting the following error.

In an attempt to apply iptables rules with iptables-apply -t 120 /etc/iptables.rules and iptables-restore < /etc/iptables.rules I got the next error:

FATAL: Could not load /lib/modules/2.6.32.4-rscloud/modules.dep: No such file or directory
iptables-restore v1.4.4: iptables-restore: unable to initialize table 'filter'

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

How do I fix this?

EDIT 1:

uname -r :

2.6.32.4-rscloud

modprobe /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko :

FATAL: Could not load /lib/modules/2.6.32.4-rscloud/modules.dep: No such file or directory

ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ :

ls: cannot access /lib/modules/2.6.32.4-rscloud/kernel/net/ipv4/netfilter/: No such file or directory

EDIT 2:

apt-cache search linux-image-* :

alsa-base - ALSA driver configuration files
linux-image-2.6.31-14-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-14-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-14-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-302-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-9-rt - Linux kernel image for version 2.6.31 on Ingo Molnar's full real time preemption patch
linux-image-rt - Rt Linux kernel image
rt2400-source - source for rt2400 wireless network driver
rt2500-source - source for rt2500 wireless network driver
rt2570-source - source for rt2570 wireless network driver
linux-image - Generic Linux kernel image.
linux-image-2.6.31-15-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-15-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-15-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-16-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-16-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-16-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-17-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-17-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-17-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-19-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-19-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-19-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-20-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-20-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-20-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-21-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-21-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-21-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-304-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-305-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-306-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-ec2 - Linux kernel image for ec2 machines
linux-image-generic - Generic Linux kernel image
linux-image-server - Linux kernel image on Server Equipment.
linux-image-virtual - Linux kernel image for virtual machines
linux-image-2.6.31-22-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-22-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-22-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-307-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
server

8 Answers

  1. You need to load a kernel module for enabling the filter table. Run the next command as root:

    modprobe /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko

    (uname -r gives the current kernel version)

    For a list of available modules for iptables, list the directory containing iptables modules:

    ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/

    To get information on all modules:

    modinfo /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/*.ko
    • 7

  2. it turns out that it was just a missing sudo!

    sudo iptables-restore < /etc/iptables.rules

    instead of

    iptables-restore < /etc/iptables.rules

    • 5

  3. I also use the Rackspace Cloud, with kernel 2.6.35.4-rscloud. I have multiple instances with this kernel and iptables works fine on some and I have the same problem as you on a couple others.

    Therefore I believe this kernel does have the support it needs for iptables, and the issue is caused by something else (I'm still looking for the solution myself)

    EDIT: I solved my issue by scp -r copying the /lib/modules/2.6.35.4-rscloud from the working iptables server to the non-working one.

    For some reason uname -r shows 2.6.35.4-rscloud and ls /lib/modules/ only contained the previous version like /lib/modules/2.6.31-302-rs.

    I'm not sure why this can fall out of synch, or what to do if you don't have a working server to copy these files from, but hopefully this points you in the right direction.

    I did not need to recompile a kernel or anything like that.

    • 2

  4. It is possible that the linux kernel you are using wasn't built with loadable module support. A good way to find out if your kernel has module support is to check the existence of the file /proc/modules. If it is there but you don't have a /lib/modules/$(uname -r)/modules.dep file, it means that your kernel has support for modules but that they were not correctly installed. It look like your kernel was built by your provider Rackspace, you should ask them about the kernel configuration.

    • 1

  5. Another way to get proper iptables support is to install xtables-addons, you need to have quite a lot of tools to get this working though (module-assistant, build-essential etc.), but the advantage is that at the end you have ipset as well as iptables and (IMHO) using ipset as well is much better for large complex rulesets

    apt-get install xtables-addons-common

apt-get install xtables-addons-source

m-a prepare

m-a build xtables-addons

m-a install xtables-addons
    • 1

  6. I had the same error, but I found a stray comment in an unrelated article (http://articles.slicehost.com/2007/11/6/ubuntu-gutsy-setup-page-1) that identified the silly molecular error that was at fault in my case. The problem was that I had created the iptables.rules file using a text editor (Notepad++), but because the file type wasn't recognized, Notepad++ defaulted to using Windows End-of-Line and End-of-File characters. iptables rejects these characters, requiring their Unix equivalents, and was thus throwing an error upon the first occurrence: the end of the *filter line -- giving the false impression that there was something wrong with the *filter syntax. Ah, the ever-present joys of character-encoding-related errors!

    Two Solutions

    • The commenter I mentioned above installed (sudo aptitude install tofrodos) and ran (fromdos /etc/iptables.rules) a little conversion utility on the file.

    ---OR---

    • What I did was, in Notepad++, Edit > EOL Conversion > UNIX Format, and then Save and re-upload the file. That took care of the End-of-Line characters, but not the End-of-File character (despite what one might expect). So once I had it uploaded to the server, I opened it up in nano and created a newline at the end of the file and saved. Then everything worked perfectly.

    It might also be possible that merely opening the file in nano and resaving, without actually changing the characters manually, would do the trick, but I haven't tested.

    • 1

  7. You can also get errors with iptables if you've installed a new version of the Kernel but you haven't rebooted yet (quite common if you're building a new server using, for example, an Ansible playbook, and an earlier task is an apt-get upgrade)

    See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829269#41 re: "Unknown symbol in module, or unknown parameter" error.

    • 1

  8. The answer by Lekensteyn is almost, but not quite, the correct answer. The error there is that the modprobe command accepts as its argument a module name (iptables_filter or iptables-filter; modprobe will automatically convert dashes to underscores if a matching module with that filename is found in its search paths), not the path to a kernel object (.ko) file as is written in that answer.

    I had a very similar issue to this problem on a system where IPv4 NetFilter tables were loaded but IPv6 tables were not. This resulted in iptables-restore successfully loading my firewall rules, but ip6tables-restore gave the "unable to initialize table 'filter'" error. The solution was simply to run the following modprobe command as the root user or with sudo before restoring the iptables firewall ruleset:

    modprobe ip6table_filter

    I experienced this on a Travis CI virtual environment in one of my CI/CD pipelines. Hopefully this helps someone in a similar situation.

    • 0