# iptables not starting [SOLVED]

## zietbukuel

```
ziet@bavrit ~ $ sudo /etc/init.d/iptables start

 * Service iptables starting

 * Loading iptables state and starting firewall ...

iptables-restore v1.3.7: iptables-restore: unable to initializetable 'nat'

Error occurred at line: 11

Try `iptables-restore -h' or 'iptables-restore --help' for more informat  [ !! ]

 * ERROR:  iptables failed to start
```

I guess this is the problematic part:

```
set_table_policy() {

        local chains table=$1 policy=$2

        case ${table} in

                nat)    chains="PREROUTING POSTROUTING OUTPUT";;

                mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;

                filter) chains="INPUT FORWARD OUTPUT";;

                *)      chains="";;

        esac

        local chain

        for chain in ${chains} ; do

                ${iptables_bin} -t ${table} -P ${chain} ${policy}

        done

}
```

emerge --info:

```
Portage 2.1.2-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-gentoo i686)

=================================================================

System uname: 2.6.20-gentoo i686 AMD Athlon(tm) 64 Processor 3200+

Gentoo Base System version 1.12.9

Timestamp of tree: Tue, 13 Feb 2007 04:29:01 +0000

dev-java/java-config: 1.3.7, 2.0.31-r3

dev-lang/python:     2.4.4

dev-python/pycrypto: 2.0.1-r5

sys-apps/sandbox:    1.2.18.1

sys-devel/autoconf:  2.13, 2.61

sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10

sys-devel/binutils:  2.17

sys-devel/gcc-config: 1.3.14

sys-devel/libtool:   1.5.22

virtual/os-headers:  2.6.20

ACCEPT_KEYWORDS="x86 ~x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=athlon64 -pipe -O2 -msse3 -fomit-frame-pointer"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/X11/xkb"

CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"

CXXFLAGS="-march=athlon64 -pipe -O2 -msse3 -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoconfig ccache distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict usersandbox"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/home/ziet/Portage /usr/local/layman/xeffects /usr/local/layman/enlightenment"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="3dnow 3dnowext X aac acl alsa avahi bash-completion beagle berkdb bitmap-fonts cairo cddb cdr cli cracklib crypt cups daap dbus dlloader dri dvd dvdr emboss encode esd exif fam ffmpeg firefox flac fortran gdbm gif glib glibc-omitfp glitz gmp gnome gnutls gpm gstreamer gtk hal iconv imlib isdnlog java jpeg libg++ libnotify mad midi mikmod mmx mmxext mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pango pcre pdf perl png ppds pppd python quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl startup-notification svg tcpd theora tiff truetype truetype-fonts type1-fonts unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
```

When using a previos kernel version iptables was working, after the upgrade it won't start... Please help! 

Thanks

ps. if you need more info, ask  :Smile: Last edited by zietbukuel on Tue Apr 03, 2007 4:28 pm; edited 1 time in total

----------

## alex.blackbit

hmm, network packet filtering not enabled in your new kernel?

i am not sure about the differences 2.6.19->2.6.20, but maybe the place for the netfilter options changed, so the checked boxed could have been lost even if you copied your .config file.

maybe you want to take a quick look.

----------

## amar_

ANd if this is desktop computer you should reall consider using firestarter.It rocks  :Smile: 

----------

## zietbukuel

Thanks for the replies.

I think I have enabled packet filtering in my kernel:

```
    Networking  --->

      Networking options  --->

        [*] Network packet filtering framework (Netfilter)  --->

           Core Netfilter Configuration  --->

              <M> Netfilter netlink interface                                                                             

              <M>   Netfilter NFQUEUE over NFNETLINK interface                                                            

              <M>   Netfilter LOG over NFNETLINK interface                                                                

              < > Netfilter connection tracking support                                                                   

              <M> Netfilter Xtables support (required for ip_tables)                                                      

              <M>   "CLASSIFY" target support                                                                             

              <M>   "DSCP" target support                                                                                 

              <M>   "MARK" target support                                                                                 

              <M>   "NFQUEUE" target Support                                                                              

              <M>   "NFLOG" target support                                                                                

              <M>   "SECMARK" target support                                                                          

              <M>   "comment" match support                                                                              

              <M>   "DCCP" protocol match support                                                                      

              <M>   "DSCP" match support                                                                       

              <M>   "ESP" match support                                                                      

              <M>   "length" match support                                                                        

              <M>   "limit" match support                                                                             

              <M>   "mac" address match support                                                                 

              <M>   "mark" match support                                                                          

              <M>   IPsec "policy" match support                                                                  

              <M>   Multiple port match support                                                                   

              <M>   "pkttype" packet type match support                                                             

              <M>   "quota" match support                                                                        

              <M>   "realm" match support                                                                      

              <M>   "sctp" protocol match support (EXPERIMENTAL)                               

              <M>   "statistic" match support                                            

              <M>   "string" match support                                                               

              <M>   "tcpmss" match support                                                                        

              <M>   "hashlimit" match support

         IP: Netfilter Configuration  --->

              <M> IP Userspace queueing via NETLINK (OBSOLETE)

              <M> IP tables support (required for filtering/masq/NAT)

              <M>   IP range match support

              <M>   TOS match support

              <M>   recent match support

              <M>   ECN match support

              <M>   AH match support

              <M>   TTL match support

              <M>   Owner match support 

              <M>   address type match support

              <M>   Packet filtering

              <M>     REJECT target support

              <M>   LOG target support

              <M>   ULOG target support

              <M>   TCPMSS target support

              <M> Packet mangling

              <M>   TOS target support

              <M>   ECN target support

              <M>   TTL target support

              <M> raw table support (required for NOTRACK/TRACE)

              <M> ARP tables support

              <M>   ARP packet filtering

              <M>   ARP payload mangling
```

And, yes I use firestarter  :Smile: 

Thanks.

----------

## alex.blackbit

i did not see before that what you call is iptabales-restore.

is it possible that there is nothing to restore? ... i.e. that the table was not saved for some reasons the last time?

----------

## zietbukuel

These are my rules and I can't restore them even with iptables-resore < fw (fw is the file where my rules are):

```
# Generated by iptables-save v1.3.7 on Thu Feb  8 13:43:03 2007

*mangle

:PREROUTING ACCEPT [40464:53632066]

:INPUT ACCEPT [40464:53632066]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [36278:4434016]

:POSTROUTING ACCEPT [36269:4433656]

-A OUTPUT -p tcp -m tcp --dport 20:21 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 68 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 20:21 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 25 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 53 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 67 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 1812 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 1813 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 2401 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 8080 -j TOS --set-tos 0x08 

-A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 

-A OUTPUT -p tcp -m tcp --dport 6000:6015 -j TOS --set-tos 0x08 

COMMIT

# Completed on Thu Feb  8 13:43:03 2007

# Generated by iptables-save v1.3.7 on Thu Feb  8 13:43:03 2007

*nat

:PREROUTING ACCEPT [59:6102]

:POSTROUTING ACCEPT [716:39513]

:OUTPUT ACCEPT [716:39513]

COMMIT

# Completed on Thu Feb  8 13:43:03 2007

# Generated by iptables-save v1.3.7 on Thu Feb  8 13:43:03 2007

*filter

:INPUT DROP [1:250]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:INBOUND - [0:0]

:LOG_FILTER - [0:0]

:LSI - [0:0]

:LSO - [0:0]

:OUTBOUND - [0:0]

-A INPUT -s 208.67.222.222 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 

-A INPUT -s 208.67.222.222 -p udp -j ACCEPT 

-A INPUT -s 208.67.220.220 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 

-A INPUT -s 208.67.220.220 -p udp -j ACCEPT 

-A INPUT -i lo -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT 

-A INPUT -p udp -m udp --dport 33434 -j LSI 

-A INPUT -p icmp -j LSI 

-A INPUT -d 255.255.255.255 -i eth0 -j DROP 

-A INPUT -d 10.0.0.255 -j DROP 

-A INPUT -s 224.0.0.0/255.0.0.0 -j DROP 

-A INPUT -d 224.0.0.0/255.0.0.0 -j DROP 

-A INPUT -s 255.255.255.255 -j DROP 

-A INPUT -d 0.0.0.0 -j DROP 

-A INPUT -m state --state INVALID -j DROP 

-A INPUT -f -m limit --limit 10/min -j LSI 

-A INPUT -i eth0 -j INBOUND 

-A INPUT -j LOG_FILTER 

-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6 

-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 

-A FORWARD -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT 

-A FORWARD -p udp -m udp --dport 33434 -j LSI 

-A FORWARD -p icmp -j LSI 

-A FORWARD -j LOG_FILTER 

-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6 

-A OUTPUT -s 10.0.0.1 -d 208.67.222.222 -p tcp -m tcp --dport 53 -j ACCEPT 

-A OUTPUT -s 10.0.0.1 -d 208.67.222.222 -p udp -m udp --dport 53 -j ACCEPT 

-A OUTPUT -s 10.0.0.1 -d 208.67.220.220 -p tcp -m tcp --dport 53 -j ACCEPT 

-A OUTPUT -s 10.0.0.1 -d 208.67.220.220 -p udp -m udp --dport 53 -j ACCEPT 

-A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -s 224.0.0.0/255.0.0.0 -j DROP 

-A OUTPUT -d 224.0.0.0/255.0.0.0 -j DROP 

-A OUTPUT -s 255.255.255.255 -j DROP 

-A OUTPUT -d 0.0.0.0 -j DROP 

-A OUTPUT -m state --state INVALID -j DROP 

-A OUTPUT -o eth0 -j OUTBOUND 

-A OUTPUT -j LOG_FILTER 

-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6 

-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INBOUND -s 10.0.0.0 -j ACCEPT 

-A INBOUND -p tcp -m tcp --dport 22 -j ACCEPT 

-A INBOUND -p udp -m udp --dport 22 -j ACCEPT 

-A INBOUND -p tcp -m tcp --dport 6890:6900 -j ACCEPT 

-A INBOUND -p udp -m udp --dport 6890:6900 -j ACCEPT 

-A INBOUND -p tcp -m tcp --dport 123 -j ACCEPT 

-A INBOUND -p udp -m udp --dport 123 -j ACCEPT 

-A INBOUND -p tcp -m tcp --dport 9090 -j ACCEPT 

-A INBOUND -p udp -m udp --dport 9090 -j ACCEPT 

-A INBOUND -s 10.0.0.3 -p tcp -m tcp --dport 137:139 -j ACCEPT 

-A INBOUND -s 10.0.0.3 -p udp -m udp --dport 137:139 -j ACCEPT 

-A INBOUND -s 10.0.0.3 -p tcp -m tcp --dport 445 -j ACCEPT 

-A INBOUND -s 10.0.0.3 -p udp -m udp --dport 445 -j ACCEPT 

-A INBOUND -p tcp -m tcp --dport 80 -j ACCEPT 

-A INBOUND -p udp -m udp --dport 80 -j ACCEPT 

-A INBOUND -j LSI 

-A LSI -j LOG_FILTER 

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 

-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP 

-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6 

-A LSI -p icmp -m icmp --icmp-type 8 -j DROP 

-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6 

-A LSI -j DROP 

-A LSO -j LOG_FILTER 

-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6 

-A LSO -j REJECT --reject-with icmp-port-unreachable 

-A OUTBOUND -p icmp -j ACCEPT 

-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A OUTBOUND -j ACCEPT 

COMMIT

# Completed on Thu Feb  8 13:43:03 2007

```

Please help me, Thanks!

----------

## zietbukuel

No one?   :Sad: 

----------

## zietbukuel

bump ^^

Please, I really need this. I've switched to Gentoo over a year just because of this really great community, please, don't disappoint me...   :Sad: 

----------

## madisonicus

If you built them all as modules, did you modprobe them all before trying to start iptables?

Better yet, build them right into the kernel.

----------

## feardapenguin

The 2.6.20 kernel changed something.  I'm having the same problem.

----------

## madisonicus

Yes, there were a bunch of changes to netfilter in the 2.6.20 kernel.  Check that section of the kernel config and make sure you have enabled all the features you need.

----------

## zietbukuel

 *madisonicus wrote:*   

> Yes, there were a bunch of changes to netfilter in the 2.6.20 kernel.  Check that section of the kernel config and make sure you have enabled all the features you need.

 

Yeah, I thought that, but what is the solution? anyone knows?   :Confused: 

----------

## zietbukuel

bump ^^^

----------

## ncl

Apparently you don't have required nat support in the kernel. I had same problem till this morning. Double check if you have CONFIG_NF_NAT enabled (i cant see it in the config you provided). Its  called 'Full NAT' under 'IP: Netfilter Configuration'. Hope this works for you too.

edit: Hmm... since i see you don't do nat i wonder if deleting the nat section from your rules file would also work (it isn't mendatory, is it?). Maybe it wouldn't even need the module then. Why haven't i thought about that earlier  :Rolling Eyes:  I'm just curious so please check that if you can. Now i have everything built in and i dont feel like doing another recompile just to try it.

----------

## manouchk

I think you need the connection tracking with firestarter...

I see that you don't have this option selected:

              < > Netfilter connection tracking support 

I think I had the same problem. I added some more module in my kernel... Look at :

https://forums.gentoo.org/viewtopic-p-3992289.html#3992289

----------

