IPTables module ip_tables not found for root

We got a custom build Linux distribution from a vendor, which is not shipped with iptables enabled.

root@xxxx:~# iptables -L
modprobe: FATAL: Module ip_tables not found.
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I also tried using modprobe but not found and also find command also found nothing.

# modprobe ip_tables
modprobe: FATAL: Module ip_tables not found.
# find / -name "ip_tables*"
# 

Is it possible to compile netfilter and iptables and integrate it? I tried compiling entire kernel, but due to some unknown factor some functionality is not working. Hence I need to build them as kernel module and integrate it with our existing custom distribution.


1) "iptables" is the userland application that deals with the ip_tables kernel module. It seems you already have /bin/iptables but your kernel has not included/loaded ip_tables.ko

2) if your kernel does not support ip_tables your distro might have it included as a loadable kernel module at:

/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko 

where uname -r is the kernel version i.e. 3.5.0-18-generic

if you find ip_tables.ko you can try

#depmod
#modprobe ip_tables

or

#insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko 

depending if your distro includes real depmod/modprobe/insmod apps or the ones implemented by busybox you might run into some additional issues like relative path problems or compressed kernel modules not handled correctly depending on the busybox version.

3) if the ip_tables.ko is not available you either have to rebuild the kernel with ip_table support or as an external loadable module. In the last case after creating ip_tables.ko go back to 2).


TL;DR

  • Update your kernel: sudo pacman -S linux

  • Update your bootloader: bootctl --path=/boot install

  • Reboot

This morning I ran into this same problem when trying to configure iptables:

[root@office-pc /]# iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I am using iptables version:

[root@office-pc /]# pacman -Q iptables
iptables 1.6.0-1

What has happened?

Does the ip_tables kernel module actually exist?

[root@office-pc /]# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
bash: /lib/modules/4.8.13-1-ARCH/kernel/net/ipv4/netfilter/ip_tables.ko: No such file or directory

[root@office-pc /]# modprobe ip_tables
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.8.13-1-ARCH

hmmm.... Seems it has dissapeared! Lets find out: 1. What kernel is my computer using? 2. Does it support iptables?

[root@office-pc /]# uname -r
4.8.13-1-ARCH

[root@office-pc /]# cat /proc/sys/kernel/osrelease
4.8.13-1-ARCH

[root@office-pc /]# zgrep IPTABLES /proc/config.gz
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m

Ok.... This is odd because its a standard Arch Linux kernel, and it supports iptables.

Lets have a look to see if there are any netfilter modules available (I would be very surprised if there were not because it is very unlikely something would delete them):

[root@office-pc /]# ls /lib/modules/*/kernel/net/*/netfilter/
/lib/modules/4.9.11-1-ARCH/kernel/net/bridge/netfilter/:
ebt_802_3.ko.gz       ebtables.ko.gz      ebt_dnat.ko.gz   ebt_log.ko.gz     ebt_pkttype.ko.gz   ebt_vlan.ko.gz      nft_reject_bridge.ko.gz
ebtable_broute.ko.gz  ebt_among.ko.gz     ebt_ip6.ko.gz    ebt_mark.ko.gz    ebt_redirect.ko.gz  nf_log_bridge.ko.gz
ebtable_filter.ko.gz  ebt_arp.ko.gz   ebt_ip.ko.gz     ebt_mark_m.ko.gz  ebt_snat.ko.gz  nf_tables_bridge.ko.gz
ebtable_nat.ko.gz     ebt_arpreply.ko.gz  ebt_limit.ko.gz  ebt_nflog.ko.gz   ebt_stp.ko.gz   nft_meta_bridge.ko.gz

/lib/modules/4.9.11-1-ARCH/kernel/net/ipv4/netfilter/:
arptable_filter.ko.gz   ip_tables.ko.gz       nf_conntrack_ipv4.ko.gz       nf_nat_pptp.ko.gz       nft_dup_ipv4.ko.gz
arp_tables.ko.gz    ipt_ah.ko.gz          nf_defrag_ipv4.ko.gz      nf_nat_proto_gre.ko.gz  nft_masq_ipv4.ko.gz
arpt_mangle.ko.gz   ipt_CLUSTERIP.ko.gz   nf_dup_ipv4.ko.gz         nf_nat_snmp_basic.ko.gz nft_redir_ipv4.ko.gz
iptable_filter.ko.gz    ipt_ECN.ko.gz         nf_log_arp.ko.gz          nf_reject_ipv4.ko.gz    nft_reject_ipv4.ko.gz
iptable_mangle.ko.gz    ipt_MASQUERADE.ko.gz  nf_log_ipv4.ko.gz         nf_tables_arp.ko.gz
iptable_nat.ko.gz   ipt_REJECT.ko.gz      nf_nat_h323.ko.gz         nf_tables_ipv4.ko.gz
iptable_raw.ko.gz   ipt_rpfilter.ko.gz    nf_nat_ipv4.ko.gz         nft_chain_nat_ipv4.ko.gz
iptable_security.ko.gz  ipt_SYNPROXY.ko.gz    nf_nat_masquerade_ipv4.ko.gz  nft_chain_route_ipv4.ko.gz

/lib/modules/4.9.11-1-ARCH/kernel/net/ipv6/netfilter/:
ip6table_filter.ko.gz    ip6t_ah.ko.gz      ip6t_mh.ko.gz        nf_conntrack_ipv6.ko.gz       nf_reject_ipv6.ko.gz        nft_redir_ipv6.ko.gz
ip6table_mangle.ko.gz    ip6t_eui64.ko.gz   ip6t_NPT.ko.gz       nf_defrag_ipv6.ko.gz      nf_tables_ipv6.ko.gz        nft_reject_ipv6.ko.gz
ip6table_nat.ko.gz   ip6t_frag.ko.gz    ip6t_REJECT.ko.gz    nf_dup_ipv6.ko.gz         nft_chain_nat_ipv6.ko.gz
ip6table_raw.ko.gz   ip6t_hbh.ko.gz     ip6t_rpfilter.ko.gz  nf_log_ipv6.ko.gz         nft_chain_route_ipv6.ko.gz
ip6table_security.ko.gz  ip6t_ipv6header.ko.gz  ip6t_rt.ko.gz        nf_nat_ipv6.ko.gz         nft_dup_ipv6.ko.gz
ip6_tables.ko.gz     ip6t_MASQUERADE.ko.gz  ip6t_SYNPROXY.ko.gz  nf_nat_masquerade_ipv6.ko.gz  nft_masq_ipv6.ko.gz

So there is a clue here; it appears I have a kernel mis-match (there are kernel modules for kernel version: /lib/modules/4.9.11-1 which does not match the kernel running on my computer - 4.9.13-1). So lets check to see if there are any modules available for the kernel running on my machine:

[root@office-pc /]# ls /lib/modules/4.8.13-1-ARCH
ls: cannot access '/lib/modules/4.8.13-1-ARCH': No such file or directory

Nope! So this is most likely to be the root cause of the problem; the kernel running on my machine does not have any loadable modules (not good). Lets try to fix it by updating (in my case, downgrading) the kernel, because I am using the standard Arch Linux kernel which is under pacman version control I can simply run pacman to update it (if you are using a custom kernel that is a problem you will be able to solve):

[root@office-pc /]# sudo pacman -S linux
...
Packages (1) linux-4.9.11-1
...

Great! pacman will install kernel 4.9.11-1, which is the one I want (I have modules for this kernel - I have no idea how I ended up getting Kernel 4.9.13). Let pacman complete installation.

Finally, I need to make sure this kernel will be used when booting the machine. So I need to update the boot manager (I am using systemd-boot). - I have a boot partition which is mounted to /boot - Delete the loader.conf file: /boot/loader/loader.conf (it will be updated when running bootctl below and bootctl will not update it if it already exists) - Run bootctl to update the boot manager:

[root@office-pc /]$ bootctl --path=/boot install

Now reboot the computer.... When it reboots it should use the new (downgraded) kernel!

Once its booted, and you have logged in, check the kernel version to ensure the correct kernel is running:

[matt@office-pc /]$ uname -r
4.9.11-1-ARCH

Now try to run the original command (to setup iptables internet sharing)

[matt@office-pc /]$ sudo iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
[matt@office-pc /]$ sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[matt@office-pc /]$ sudo iptables -A FORWARD -i enp0s20f0u4u3 -o enp0s31f6 -j ACCEPT

Woo-hoo Problem fixed! (note I logged in as root user to fix this problem - I would not recommend doing this unless you are confident you know what you are doing!)