LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (https://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   IPTABLES Broken w/ Kernel Upgrade: "Can't initialize iptables table 'filter'" & "Could not insert 'iptable_filter': Operation not permitted" (https://www.linuxquestions.org/questions/linux-kernel-70/iptables-broken-w-kernel-upgrade-cant-initialize-iptables-table-filter-and-could-not-insert-iptable_filter-operation-not-permitted-4175700473/)

EvanRC 09-11-2021 12:09 AM
IPTABLES Broken w/ Kernel Upgrade: "Can't initialize iptables table 'filter'" & "Could not insert 'iptable_filter': Operation not permitted"
 
Running Ubuntu 20.04 with freshly upgraded 5.11.0-34-generic (over 0-27). APT make the process of updating the kernel rather simple, but when attempting to initialize my VPN or simply checking the firewall status, I get:
Code:
iptables v1.8.4 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
I figured that it hadn't updated the module - and the iptables version is the one provided through apt, installed by default with ufw and ubuntu-standard. Modinfo said it was up-to-date, so I ran:
Code:
sudo apt-get update
sudo apt-get reinstall linux-image-$(uname -r) linux-headers-$(uname -r) linux-modules-$(uname -r) linux-modules-extra-$(uname -r) iptables
sudo apt-get upgrade
After this ran and I rebooted, the error persisted. Additionally, attempting to use modprobe on 'iptable_filter' or 'ip6table_filter' gives:
Code:
modprobe: ERROR: could not insert 'iptable_filter': Operation not permitted
So I entered into recovery mode for 5.11.0-34. The system took a bit longer, understandably, and then I ran the 'dpkg Repair Broken Packages' recovery option. This found nothing broken, so I went into root terminal. Surprisingly? In recovery mode, the filter module was loaded fine into the kernel. However, the VPN still failed to load - likely due to the restrictions of recovery mode.



The output of 'modprobe -f -vvv iptable_filter' (after running modprobe -r) is:
Code:
modprobe: INFO: ../libkmod/libkmod.c:365 kmod_set_log_fn() custom logging function 0x559fb9fa0b90 registered
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.11.0-34-generic/modules.dep.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.11.0-34-generic/modules.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.11.0-34-generic/modules.symbols.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.11.0-34-generic/modules.builtin.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.11.0-34-generic/modules.builtin.bin
modprobe: DEBUG: ../libkmod/libkmod-module.c:556 kmod_module_new_from_lookup() input alias=iptable_filter, normalized=iptable_filter
modprobe: DEBUG: ../libkmod/libkmod-module.c:562 kmod_module_new_from_lookup() lookup modules.dep iptable_filter
modprobe: DEBUG: ../libkmod/libkmod.c:598 kmod_search_moddep() use mmaped index 'modules.dep' modname=iptable_filter
modprobe: DEBUG: ../libkmod/libkmod.c:403 kmod_pool_get_module() get module name='iptable_filter' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:411 kmod_pool_add_module() add 0x559fba860360 key='iptable_filter'
modprobe: DEBUG: ../libkmod/libkmod.c:403 kmod_pool_get_module() get module name='ip_tables' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:403 kmod_pool_get_module() get module name='ip_tables' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:411 kmod_pool_add_module() add 0x559fba8604d0 key='ip_tables'
modprobe: DEBUG: ../libkmod/libkmod-module.c:196 kmod_module_parse_depline() add dep: /lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/ip_tables.ko
modprobe: DEBUG: ../libkmod/libkmod.c:403 kmod_pool_get_module() get module name='x_tables' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:403 kmod_pool_get_module() get module name='x_tables' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:411 kmod_pool_add_module() add 0x559fba8605e0 key='x_tables'
modprobe: DEBUG: ../libkmod/libkmod-module.c:196 kmod_module_parse_depline() add dep: /lib/modules/5.11.0-34-generic/kernel/net/netfilter/x_tables.ko
modprobe: DEBUG: ../libkmod/libkmod-module.c:202 kmod_module_parse_depline() 2 dependencies for iptable_filter
modprobe: DEBUG: ../libkmod/libkmod-module.c:589 kmod_module_new_from_lookup() lookup iptable_filter=0, list=0x559fba85fd50
modprobe: DEBUG: ../libkmod/libkmod.c:500 lookup_builtin_file() use mmaped index 'modules.builtin' modname=iptable_filter
modprobe: DEBUG: ../libkmod/libkmod-module.c:1760 kmod_module_get_initstate() could not open '/sys/module/iptable_filter/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1770 kmod_module_get_initstate() could not open '/sys/module/iptable_filter': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bt87x mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=saa7134_alsa mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_caiaq mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_ua101 mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_us122l mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_usx2y mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_cmipci mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bonding mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=dummy mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=vt mod->name=x_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod.c:500 lookup_builtin_file() use mmaped index 'modules.builtin' modname=x_tables
modprobe: DEBUG: ../libkmod/libkmod-module.c:1316 kmod_module_probe_insert_module() Ignoring module 'x_tables': already loaded
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bt87x mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=saa7134_alsa mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_caiaq mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_ua101 mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_us122l mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_usx2y mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_cmipci mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bonding mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=dummy mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=vt mod->name=ip_tables mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod.c:500 lookup_builtin_file() use mmaped index 'modules.builtin' modname=ip_tables
modprobe: DEBUG: ../libkmod/libkmod-module.c:1316 kmod_module_probe_insert_module() Ignoring module 'ip_tables': already loaded
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bt87x mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=cx88_alsa mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=saa7134_alsa mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_atiixp_modem mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_intel8x0m mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_via82xx_modem mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_caiaq mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_ua101 mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_us122l mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_usx2y mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_cmipci mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_pcsp mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=snd_usb_audio mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=bonding mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=dummy mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1404 kmod_module_get_options() modname=vt mod->name=iptable_filter mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1760 kmod_module_get_initstate() could not open '/sys/module/iptable_filter/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1770 kmod_module_get_initstate() could not open '/sys/module/iptable_filter': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:750 kmod_module_get_path() name='iptable_filter' path='/lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/iptable_filter.ko'
modprobe: DEBUG: ../libkmod/libkmod-module.c:750 kmod_module_get_path() name='iptable_filter' path='/lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/iptable_filter.ko'
insmod /lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/iptable_filter.ko
modprobe: DEBUG: ../libkmod/libkmod-module.c:750 kmod_module_get_path() name='iptable_filter' path='/lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/iptable_filter.ko'
modprobe: INFO: ../libkmod/libkmod-module.c:892 kmod_module_insert_module() Failed to insert module '/lib/modules/5.11.0-34-generic/kernel/net/ipv4/netfilter/iptable_filter.ko': Operation not permitted
modprobe: ERROR: could not insert 'iptable_filter': Operation not permitted
modprobe: DEBUG: ../libkmod/libkmod-module.c:468 kmod_module_unref() kmod_module 0x559fba860360 released
modprobe: DEBUG: ../libkmod/libkmod.c:419 kmod_pool_del_module() del 0x559fba860360 key='iptable_filter'
modprobe: DEBUG: ../libkmod/libkmod-module.c:468 kmod_module_unref() kmod_module 0x559fba8605e0 released
modprobe: DEBUG: ../libkmod/libkmod.c:419 kmod_pool_del_module() del 0x559fba8605e0 key='x_tables'
modprobe: DEBUG: ../libkmod/libkmod-module.c:468 kmod_module_unref() kmod_module 0x559fba8604d0 released
modprobe: DEBUG: ../libkmod/libkmod.c:419 kmod_pool_del_module() del 0x559fba8604d0 key='ip_tables'
modprobe: INFO: ../libkmod/libkmod.c:332 kmod_unref() context 0x559fba85f4a0 released
I don't know much about these codes, but there isn't anything - to my knowledge - that says why loading the iptables filter is not permitted. Modinfo reports it as valid, so it isn't corrupt or anything, but nothing I seem to do can fix this, aside from what I had to do last month, which was a hard reinstall of Ubuntu.


Things I've looked at:
https://www.linuxquestions.org/quest...-exist-739550/
https://askubuntu.com/questions/7436...you-need-to-i/ (although it's angled for raspberry pi)
https://askubuntu.com/questions/2821...e-table-filter
https://www.tutorialspoint.com/unix_...s/modprobe.htm (just as reference for modprobe)
https://www.linuxquestions.org/quest...r'-577212/


Prior to the kernel upgrade, iptables and the VPN were working fine (i.e. using sudo iptables --list didn't make the terminal scream in figurative pain). This is getting in the way of a few smaller things, but I figured I needed to find out how - if possible - to fix this now and in the future, or if I should just... not touch apt-get dist-upgrade, depsite never having had problems with it until now.



Any ideas?


EDIT #1:

Something appears to have gone awry with the default loading sequence for the kernel. I did some more poking around and stumbled - completely unrelated - across a post about SD cards not showing up in Linux. It said to edit your /etc/modules and add 'tifm_sd' to it. I did, along with - out of curiosity - the 'iptable_filter' module, wondering why the file was empty. When I rebooted, you wouldn't guess what the output was when I ran 'iptables --list':
Code:
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
It seems that, by upgrading the kernel, my /etc/modules was emptied. Albeit, just adding 'iptable_filter' didn't fix it - the VPN also needed NAT and the sort - but I may have stumbled across the road to solution completely by chance. And for reference, adding 'tifm_sd' also let me read the SD card. One thing that this may mean is, can someone provide me a copy of their /etc/modules file?


EDIT #2 (FINAL)
Turns out, the package lockdown was to blame... I didn't even realize it was installed.
That would explain the "Operation not Permitted" errors.

Sorry folks.

GentleThotSeaMonkey 09-26-2021 01:18 AM
(belated) Welcome to LQ! Great info; glad you found the solution.

(now ZRT list fits on 1 page, for the moment!)


All times are GMT -5. The time now is 07:08 PM.