iptables failed to start in Red Hat Enterprise Linux 6.6 and above versions of minimal installation.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6.6.
  • Red Hat Enterprise Linux (RHEL) 6.7.
  • Red Hat Enterprise Linux (RHEL) 6.8.
  • Red Hat Enterprise Linux (RHEL) 6.9.
  • iptables.

Issue

  • iptables.service is not running in minimal installation of RHEL 6.6 and above.
  • The /etc/sysconfig/iptables file is not present by default.
  • Firewall is not running.

    # service iptables status
    iptables: Firewall is not running.
    

Resolution

  • This is a known issue in minimal installation of RHEL 6.6 and above versions.
  • This issue needs to be addressed via the kickstart %packages section.
  • authconfig and system-config-firewall-base packages were installed by default until Red Hat Enterprise Linux 6.5. But, the behaviour was changed in Red Hat Enterprise Linux 6.6 link.
  • You can follow the workaround mentioned below :

As a workaround follow the steps :

  • Verify that the iptables.service is enabled on boot. If not, enable the service :

    # chkconfig iptables on
    
    # chkconfig iptables --list
    iptables         0:off   1:off   2:off   3:on    4:on    5:on    6:off
    
  • Load the iptables modules using iptables -L command :

    # iptables -L 
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 
    
  • Ensure that iptables modules are loaded :

    # lsmod | grep table
    Module             Size      Used by
    iptable_filter     2993        0
    ip_tables          17831       1 iptable_filter
    
  • Creating the file iptables in /etc/sysconfig/ directory using :

    # service iptables save
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
    
  • Verify the iptables.service is running :

    # service iptables status
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination 
    

Root Cause

  • The /etc/sysconfig/iptables file is not created by default in the minimal installation of the RHEL 6.6 and above. This will results in failing of the iptable.service to start. This issue needs to be addressed via the kickstart %packages section. The minimum package set is deliberately kept very small because it's used as part of the RHEL certification processes like FIPS, among others.

  • This Minimal package set may appear to be missing packages but this is intentional. The Minimal package set can not be altered and we can not automatically flag additional packages for inclusion if the user has selected Minimal. The work around during installation is to use kickstart and install the additional packages needed utilizing the %packages section.

Diagnostic Steps

  • Start iptables.service
# service iptables start
iptables: No config file.                                  [WARNING]

*Check whether iptables module is loaded.

# lsmod | grep iptable

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

This is being tracked as a potential security issue in Bugzilla 1161682.

This issue is also hitting in minimal installations of RHEL 6.7 and RHEL 6.8 as well.