Iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Question

I'm trying to set iptable rules, and I got following error message when I use iptable :

iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I'm using :

cat /etc/debian_version 
7.4

uname -a
Linux myserver 2.6.32-22-pve #1 SMP Mon Jul 15 08:36:46 CEST 2013 x86_64 GNU/Linux

uname -r
2.6.32-22-pve

This is a virtual server hosted by a service provider.

What can I do to solve this?

Answer 1

I had the same problem and this worked:

sudo modprobe ip_tables
sudo echo 'ip_tables' >> /etc/modules

http://www.howtoforge.com/forums/showthread.php?t=3196

Answer 2

I had the same problem with Debian 8. I fixed it by restarting the system. It seems that the error can occur if the kernel image was updated and the system was not restarted thereafter.

Answer 3

It maybe useful to add that if you're seeing this error message and you're not using some kind of restricted container based hosting (e.g. OpenVZ) then the problem maybe that the kernel is missing the nat modules. To check run:

modinfo iptable_nat

Which should print out the location of the module, if it prints an ERROR then you know that is your problem. There are also dependent modules like nf_nat which might be missing so you'll have to dig deeper if the iptable_nat module is there but fails. If it is missing you'll need to get another kernel and modules, or if you're rolling your own ensure that the kernel config contains CONFIG_IP_NF_NAT=m (for IPv4 NAT).

For info the relevant kernel module is usually found in one of these locations:

ls /lib/modules/`uname -r`/kernel/net/netfilter/
ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

And if you're running IPv6 also look here:

ls /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/

Answer 4

Finaly, my service provider answered :

This is a limitation of the virtualization system we use (OpenVZ), basic iptables rules are possible but not those who use the nat table.

If this really is a problem, we can offer you to migrate to a other system virtualization (KVM) as we begin to offer our customers.

SO I had to migrate my server to the new system...

Answer 5

Short version :

run iptables on the host before to run it in the virtual server (I'm pretty sure this is some sort of LXC or OpenVZ container here).

Long version :

The problem is due to the fact that the ip_table module is loaded on demand. So, after a reboot, on any machine that does not have any iptables rules loaded at boot time, the ip_tables module is not loaded (no demand for the modules == the module is not loaded). Consequently, the LXC or OpenVZ containers cannot use iptables (since they share the host kernel but cannot modify which modules are loaded) until the host has somehow loaded the ip_tables module.

Answer 6

iptalbes tool relies on a kernel module interacting with netfilter to control network traffic.

This error happens while iptalbes cannot found that module in kernel, so iptables suggest you to upgrade it :)

Perhaps iptables or your kernel needs to be upgraded.

However in most cases it's just the module not added to kernel or being banned, try this command to check whether be banned:

cd /etc/modprobe.d/ && grep -nr iptable_nat

if the command shows any rule matched, such as blacklist iptable_nat or install iptable_nat /bin/true, delete it. Since iptalbes will cost some performance, it's not strange to ban it while not necessary.

If nothing found in blacklist, try add iptable-nat to the kernal manual:

modprobe iptable-nat

If all of above not works, you can consider really upgrade your kernal...

Answer 7

The table names are case-sensitive so you should use lower-case nat instead of upper-case NAT. For example;

iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE

Answer 8

"IP conntrack functionality has some negative impact on venet performance (uo to about 10%), so they better be disabled by default." It's need for nat

https://serverfault.com/questions/593263/iptables-nat-does-not-exist

Answer 9

That solution from the official wiki:

vzctl set $CTID --netfilter full --save

https://openvz.org/VPN_via_the_TUN/TAP_device#Troubleshooting

Answer 10

On OpenSUSE 15.3 systemd log reported this error (insmod suggestion was unhelpful).

Feb 18 08:36:38 vagrant-openSUSE-Leap dockerd[20635]: iptables v1.6.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

REBOOT fixed the problem

Answer 11

If you are running puppet it may set /proc/sys/kernel/modules_disabled to 1, inhibiting further module loading. When the machine is reboot, it gets set back to 0, allowing for changes, such as loading the iptables modules. After a certain amount of time puppet will set it back to 1 to protect the system from kernel root kits. Therefore, whatever modules that we are going to need should be loaded during or shortly after boot time.

Answer 12

Please make sure that you have set IP_NF_NAT [=y] when compiling the Linux kernel.

Answer 13

check if tun/tap enabled:

cat /dev/net/tun

if ok will see something :

cat: /dev/net/tun: File descriptor in bad state

Answer 14

uname -av;
sudo apt install --reinstall (output from uname -av)