When IPv6 is disabled firewalld shows error "UNKNOWN_ERROR: 'ip6tables' backend does not exist" and all iptables rules are empty

Solution Verified - Updated -

Issue

  • The firewalld service is listed by systemd as being in a normal state but its logging shows errors.

    # systemctl status firewalld --lines 50 -l
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
       Active: active (running) since Wed 2019-08-21 10:35:40 CEST; 3min 16s ago
         Docs: man:firewalld(1)
     Main PID: 2921 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─2921 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
    
    Aug 21 10:35:39 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
    Aug 21 10:35:40 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
    Aug 21 10:35:42 localhost firewalld[2921]: WARNING: ip6tables not usable, disabling IPv6 firewall.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    
  • iptables output shows there are no rules in place even though the firewalld service is listed as running by systemd:

    # iptables -nvxL
    Chain INPUT (policy ACCEPT 346 packets, 27484 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 212 packets, 68927 bytes)
        pkts      bytes target     prot opt in     out     source               destination
    

Environment

  • Red Hat Enterprise Linux 7
  • firewalld-0.6.3-2.el7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content