5.38 not working without iptable_nat module

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
skate323k137
Junior Member
Posts: 12
Joined: 11 Jun 2011, 22:36

5.38 not working without iptable_nat module

Post by skate323k137 »

CSF 5.31 has been working fine on my VPS for some time. Upon installing 5.38 I am presented with;

iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Error: iptables command [/sbin/iptables -v -t nat --flush] failed, at line 364

My parent does not have this module. The documentation says that iptable_nat optional. Is this now required for the latest version(s) to function?

As far as I can tell at this point, CSF does not start;
root@host [/etc/csf]# service csf status
Status of csf:You have an unresolved error when starting csf. You need to restart csf successfully to remove this warning

I am not trying to use the MESSENGER / csf.redirect feature(s) that uses the nat module, and I see nothing in the config file otherwise to resolve this. I have tested this on several virtuozzo instances where 5.31 works fine, and 5.38 fails on all of them with the same error. If this is not a bug, my apologies, feel free to nuke or move to the general forum. If there's an easy fix please let me know, otherwise I'll just advise our techs to use 5.31 on virtuozzo instances. Thanks.

--
edit; it seems that installing an old working version then updating via WHM works, but a fresh install of 5.38 causes the above issues. service csf status on the upgraded version shows the iptables rules, followed by:

iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

But, the firewall works. It seems to error out completely on a fresh install as mentioned above, no iptables rules are listed when running a `status`.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: 5.38 not working without iptable_nat module

Post by ForumAdmin »

There is an issue with the detection of the nat module. We'll look into a fix for the issue. In the meantime, can you post the exact output from:

Code: Select all

iptables -t nat -L POSTROUTING -nv
skate323k137
Junior Member
Posts: 12
Joined: 11 Jun 2011, 22:36

Re: 5.38 not working without iptable_nat module

Post by skate323k137 »

Output is as follows:
root@host [/home/temp/csf]# iptables -t nat -L POSTROUTING -nv
iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Thanks for looking into this. As I said above, updating and old version seems to work, but a fresh install errors out.

In case it helps, heres the output from a restart with a fresh install of 5.38;
--------------
root@host [/home/temp/csf]# service csf restart
Stopping csf:You have an unresolved error when starting csf. You need to restart csf successfully to remove this warning
[ OK ]

Starting csf:Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Error: iptables command [/sbin/iptables -v -t nat --flush] failed, at line 364
[ OK ]
-------------------



Here's the output from an updated version (from 5.14 to 5.38):



-----
Restarting csf...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `acctboth'
iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `acctboth'
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in !lo out * 10.30.6.250 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 10.30.6.250
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2077
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2078
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2082
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2083
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2086
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2087
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2095
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2096
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:37
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:43
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:113
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:587
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:873
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2087
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2089
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2703
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:113
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:873
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:6277
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 11
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 3
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 11
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 3
ACCEPT udp opt -- in !lo out * 69.16.234.115 -> 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp opt -- in !lo out * 69.16.234.115 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 69.16.234.115 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp opt -- in !lo out * 69.16.234.115 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 69.16.234.115 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 209.59.139.5 -> 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp opt -- in !lo out * 209.59.139.5 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 209.59.139.5 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp opt -- in !lo out * 209.59.139.5 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 209.59.139.5 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 209.59.139.6 -> 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp opt -- in !lo out * 209.59.139.6 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 209.59.139.6 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp opt -- in !lo out * 209.59.139.6 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 209.59.139.6 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp spt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Restarting bandmin acctboth chains for cPanel
acctboth all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
acctboth all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0


...Done.

--------------
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: 5.38 not working without iptable_nat module

Post by ForumAdmin »

I've just release v5.39 which should address this issue.
skate323k137
Junior Member
Posts: 12
Joined: 11 Jun 2011, 22:36

Re: 5.38 not working without iptable_nat module

Post by skate323k137 »

Works perfectly! Thank you very much.
Post Reply