I'm having a problem (below) when I try to start iptables.

[root@s1 ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
[root@s1 ~]#

Can anyone help?

Thanks,
Michael

You've defined a non-existent table in your iptables configuration. There's no iptable-table named "security". Those rules should be moved into filter, nat, or mangle (most likely filter).

_________________
Jay Faulkner
http://oldos.org

How do I remove it?

Nevermind, fixed

The fix, at least for me, was to switch from the 2.6 paravirt kernel to the latest 2.6 stable. There's an issue with the paravirt kernel that Linode's Build team are aware of but there is no ETA on if/when there will be a resolution.

Terry

I get this error as well. I cannot figure out how to "fix" the error in my iptables configuration since I don't even use the word security. I'm running the paravirt kernel. Is there a risk to ignoring the error and letting iptables run as is?

I asked the same question and it wasn't really answered. This is what I received from support:

"The issue is that the "Latest 2.6 Paravirt" kernel has a "security" chain and iptables doesn't know how to handle it. Usually switching to the "Latest 2.6 Stable" kernel resolves the issue without any further tweaking of the iptables init script (it often just ignores that chain and starts normally). Our builds team is indeed aware of this problem, however I do not have an ETA on if/when it will be resolved.

It is perfectly fine to continue using our "Latest 2.6 Stable" kernel -- this kernel was actually the default selection for CentOS deployments until recently. No applications, with the exception of iptables, will operate differently when using the stable kernel."

So not really an answer if you can use the paravirt kernel without a problem. If you find out the answer, please post.

Note that if you execute an iptables-save while using the paravirt kernel, it will save a security chain in the /etc/sysconfig/iptables file so upon start-up with the 2.6 stable kernel, iptables will try to load a security chain and will really fail.

Terry

I'm having the same issue when switched to latest 2.6 paravirt, no solution yet?

Just deployed Cent OS 6 and ran into this problem again with latest paravirt. Found this on the web.

http://impactservices.in/content/iptabl ... ter-failed

Haven't tried it out yet. Not sure if it will screw anything else up. Anyone found a fix for this yet or has tried this out?

Thanks,
Terry

cd /etc/init.d
mv iptables ~/iptables.bak
wget http://epoxie.net/12023.txt && cat 12023.txt | tr -d '\r' > iptables
chmod +x iptables
rm -rf 12023.txt

Now, "iptables" should now start successfully:

service iptables restart

EDIT: I don't have this error with the latest paravirt kernel 3

Hi,

I tried with the latest paravirt 3 and I still get the same error.

Terry

It is a bug in CentOS, not in the kernel itself, so I wouldn't anticipate newer kernels changing much.

_________________

/* TODO: need to add signature to posts */

I don't consider it a bug in CentOS since it happen only with linode kernel and some other one.

So the bug doesn't happen if you download the latest mainline kernel from kernel.org, compile it using a reasonably-similar configuration (e.g. from /proc/config.gz on a Linode), and boot with it on normal hardware? If it doesn't happen, I will retract my statement just as soon as I finish eating my hat.

_________________

/* TODO: need to add signature to posts */

I don't have tested it with similar configuration of the linode one so I can't answer.