SyntaxFix

[linux-kernel] iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

I'm trying to set iptable rules, and I got following error message when I use iptable :

iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I'm using :

cat /etc/debian_version 
7.4

uname -a
Linux myserver 2.6.32-22-pve #1 SMP Mon Jul 15 08:36:46 CEST 2013 x86_64 GNU/Linux

uname -r
2.6.32-22-pve

This is a virtual server hosted by a service provider.

What can I do to solve this ?

This question is related to linux-kernel debian iptables

The answer is

Finaly, my service provider answered :

This is a limitation of the virtualization system we use (OpenVZ), basic iptables rules are possible but not those who use the nat table.

If this really is a problem, we can offer you to migrate to a other system virtualization (KVM) as we begin to offer our customers.

SO I had to migrate my server to the new system...

If you are running puppet it may set /proc/sys/kernel/modules_disabled to 1, inhibiting further module loading. When the machine is reboot, it gets set back to 0, allowing for changes, such as loading the iptables modules. After a certain amount of time puppet will set it back to 1 to protect the system from kernel root kits. Therefore, whatever modules that we are going to need should be loaded during or shortly after boot time.

Short version :

run iptables on the host before to run it in the virtual server (I'm pretty sure this is some sort of LXC or OpenVZ container here).

Long version :

The problem is due to the fact that the ip_table module is loaded on demand. So, after a reboot, on any machine that does not have any iptables rules loaded at boot time, the ip_tables module is not loaded (no demand for the modules == the module is not loaded). Consequently, the LXC or OpenVZ containers cannot use iptables (since they share the host kernel but cannot modify which modules are loaded) until the host has somehow loaded the ip_tables module.

On OpenSUSE 15.3 systemd log reported this error (insmod suggestion was unhelpful).

Feb 18 08:36:38 vagrant-openSUSE-Leap dockerd[20635]: iptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

REBOOT fixed the problem

The table names are case-sensitive so you should use lower-case nat instead of upper-case NAT. For example;

iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE

"IP conntrack functionality has some negative impact on venet performance (uo to about 10%), so they better be disabled by default." It's need for nat

https://serverfault.com/questions/593263/iptables-nat-does-not-exist

That solution from the official wiki: 

vzctl set $CTID --netfilter full --save

https://openvz.org/VPN_via_the_TUN/TAP_device#Troubleshooting

check if tun/tap enabled:

cat /dev/net/tun

if ok will see something :

cat: /dev/net/tun: File descriptor in bad state

uname -av;
sudo apt install --reinstall (output from uname -av)

I had the same problem with Debian 8. I fixed it by restarting the system. It seems that the error can occur if the kernel image was updated and the system was not restarted thereafter.

It maybe useful to add that if you're seeing this error message and you're not using some kind of restricted container based hosting (e.g. OpenVZ) then the problem maybe that the kernel is missing the nat modules. To check run:

modinfo iptable_nat

Which should print out the location of the module, if it prints an ERROR then you know that is your problem. There are also dependent modules like nf_nat which might be missing so you'll have to dig deeper if the iptable_nat module is there but fails. If it is missing you'll need to get another kernel and modules, or if you're rolling your own ensure that the kernel config contains CONFIG_IP_NF_NAT=m (for IPv4 NAT).

For info the relevant kernel module is usually found in one of these locations:

ls /lib/modules/`uname -r`/kernel/net/netfilter/
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

And if you're running IPv6 also look here:

ls /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/

iptalbes tool relies on a kernel module interacting with netfilter to control network traffic.

This error happens while iptalbes cannot found that module in kernel, so iptables suggest you to upgrade it :)

Perhaps iptables or your kernel needs to be upgraded.

However in most cases it's just the module not added to kernel or being banned, try this command to check whether be banned:

cd /etc/modprobe.d/ && grep -nr iptable_nat

if the command shows any rule matched, such as blacklist iptable_nat or install iptable_nat /bin/true, delete it. Since iptalbes will cost some performance, it's not strange to ban it while not necessary.

If nothing found in blacklist, try add iptable-nat to the kernal manual:

modprobe iptable-nat

If all of above not works, you can consider really upgrade your kernal...

Source: Stackoverflow.com

Examples related to linux-kernel

How to fix: fatal error: openssl/opensslv.h: No such file or directory in RedHat 7 How do I delete virtual interface in Linux? Image vs zImage vs uImage iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) IOCTL Linux device driver How to solve "Kernel panic - not syncing - Attempted to kill init" -- without erasing any user data What is ":-!!" in C code? What is the difference between the kernel space and the user space? What does "make oldconfig" do exactly in the Linux kernel makefile? "FATAL: Module not found error" using modprobe

Examples related to debian

E: Unable to locate package npm How to update-alternatives to Python 3 without breaking apt? What is difference between arm64 and armhf? github: server certificate verification failed "Call to undefined function mysql_connect()" after upgrade to php-7 Debian 8 (Live-CD) what is the standard login and password? How to set the locale inside a Debian/Ubuntu Docker container? ps command doesn't work in docker container Forwarding port 80 to 8080 using NGINX Switching users inside Docker image to a non-root user

Examples related to iptables

Connection refused to MongoDB errno 111 How can I use iptables on centos 7? Adding a rule in iptables in debian to open a new port iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) iptables LOG and DROP in one rule How can I remove specific rules from iptables? iptables block access to port 8000 except from IP address Iptables setting multiple multiports in one rule Is there a way for non-root processes to bind to "privileged" ports on Linux?

Tags

Xbox360 Stockquotes Limits Binary Finite-element-analysis Terminator Ngen Arity Public-key Text-indent Vsip Django-multilingual Buildprovider Code-coverage Joomla-extensions Base-sdk Vpc Emv Duplex-channel Hashable Moodle Dfc Subset Greatest-common-divisor Data-formats Digital-certificate Dreamhost Nfsclient Bitmapsource Nlb Tapestry Url-scheme Nshost Vmt Alignment Password-checker Ssid Mapinfo Jtableheader Linda Mount Sass Firebug-lite Enterprise-architect Webpage Admin Zeta-components Web-statistics Xml-validation Gmail Kconfig Bsddb Database-deployment Swtbot Strtr Core-graphics Data-formatters Sftp Drupal-domain-access Download-manager Createtextnode Sitedefs Wscf Language-history Apartments Tcp-ip Editplus Google-talk Power-saving Gumstix Scroll-lock Input-filtering Com-interop Update-site Xml.etree Iso Linkify Cpu-cycles Django-reversion Ctor-initializer Arbitrary-precision Wcf-hosting Corflags Mobileme Asciidoc Android-progressbar Watchdog Vmware-tools Libpng Fulfillment J9 Lazy-sequences Prepared-statement Approximate Aspnetdb Findinfiles Codesite Colormatrix Kdtree Jwplayer