iptables or ip6tables services failed to start during booting in RHEL 7

Solution Verified - Updated -

Red Hat Insights can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation

Environment

  • Red Hat Enterprise Linux 7 (RHEL 7).
  • iptables-services-1.4.21-18.el7.x86_64
  • iptables-1.4.21-18.el7.x86_64

Issue

  • iptables.service or ip6tables.service is failing when both the service are enabled in RHEL 7.

  • iptables.service or ip6tables.service shows the error:

     systemd[1]: Starting IPv6 firewall with ip6tables...
 ip6tables.init[546]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
 ip6tables.init[546]: [FAILED]
 systemd[1]: ip6tables.service: main process exited, code=exited, status=1/FAILURE
 systemd[1]: Failed to start IPv6 firewall with ip6tables.
 systemd[1]: Unit ip6tables.service entered failed state.
 systemd[1]: ip6tables.service failed.

Resolution

  • Update the iptables package to iptables-1.4.21-24.el7_4.x86_64 as mentioned in errata RHEA-2018:0715

Root Cause

  • There was a known bug with iptables-1.4.21-18.el7.x86_64 package. The systemd service was running both iptables and ip6tables services in parallel. Due to the internal locking mechanism that prevented concurrent updates, one of the two services failed to start.

  • The ERRATA update adds the --wait option to the iptables-restore and ip6tables-restore commands to make them wait until the lock becomes free, and the described problem no longer occurs.

Diagnostic Steps

  • Enable iptables.service and ip6tables.service in RHEL 7. Make sure that the firewalld.service is stopped and disabled!

    # systemctl enable iptables
# systemctl enable ip6tables

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

# # rpm -qa | grep iptables
iptables-services-1.4.21-18.el7.x86_64
iptables-1.4.21-18.el7.x86_64

  • Now reboot the system and check the status of iptables.service and ip6tables.service:

    # systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-08-03 18:36:01 IST; 1min 32s ago
  Process: 546 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=1/FAILURE)
 Main PID: 546 (code=exited, status=1/FAILURE)

Aug 03 18:36:01 HOSTNAME systemd[1]: Starting IPv6 firewall with ip6tables...
Aug 03 18:36:01 HOSTNAME ip6tables.init[546]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Aug 03 18:36:01 HOSTNAME ip6tables.init[546]: [FAILED]
Aug 03 18:36:01 HOSTNAME systemd[1]: ip6tables.service: main process exited, code=exited, status=1/FAILURE
Aug 03 18:36:01 HOSTNAME systemd[1]: Failed to start IPv6 firewall with ip6tables.
Aug 03 18:36:01 HOSTNAME systemd[1]: Unit ip6tables.service entered failed state.
Aug 03 18:36:01 HOSTNAME systemd[1]: ip6tables.service failed.

# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-08-03 18:28:58 IST; 1min 53s ago
  Process: 549 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
 Main PID: 549 (code=exited, status=1/FAILURE)

Aug 03 18:28:58 HOSTNAME systemd[1]: Starting IPv4 firewall with iptables...
Aug 03 18:28:58 HOSTNAME iptables.init[549]: iptables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Aug 03 18:28:58 HOSTNAME iptables.init[549]: [FAILED]
Aug 03 18:28:58 HOSTNAME systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Aug 03 18:28:58 HOSTNAME systemd[1]: Failed to start IPv4 firewall with iptables.
Aug 03 18:28:58 HOSTNAME systemd[1]: Unit iptables.service entered failed state.
Aug 03 18:28:58 HOSTNAME systemd[1]: iptables.service failed.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments