iptables or ip6tables services failed to start during booting in RHEL 7

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7 (RHEL 7).
  • iptables-services-1.4.21-18.el7.x86_64
  • iptables-1.4.21-18.el7.x86_64

Issue

  • iptables.service or ip6tables.service is failing when both the service are enabled in RHEL 7.

  • iptables.service or ip6tables.service shows the error:

     systemd[1]: Starting IPv6 firewall with ip6tables...
     ip6tables.init[546]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
     ip6tables.init[546]: [FAILED]
     systemd[1]: ip6tables.service: main process exited, code=exited, status=1/FAILURE
     systemd[1]: Failed to start IPv6 firewall with ip6tables.
     systemd[1]: Unit ip6tables.service entered failed state.
     systemd[1]: ip6tables.service failed.
    

Resolution

  • Update the iptables package to iptables-1.4.21-24.el7_4.x86_64 as mentioned in errata RHEA-2018:0715

Root Cause

  • There was a known bug with iptables-1.4.21-18.el7.x86_64 package. The systemd service was running both iptables and ip6tables services in parallel. Due to the internal locking mechanism that prevented concurrent updates, one of the two services failed to start.

  • The ERRATA update adds the --wait option to the iptables-restore and ip6tables-restore commands to make them wait until the lock becomes free, and the described problem no longer occurs.

Diagnostic Steps

  • Enable iptables.service and ip6tables.service in RHEL 7. Make sure that the firewalld.service is stopped and disabled!

    # systemctl enable iptables
    # systemctl enable ip6tables
    
    # systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
       Active: inactive (dead)
    
    # # rpm -qa | grep iptables
    iptables-services-1.4.21-18.el7.x86_64
    iptables-1.4.21-18.el7.x86_64
    
  • Now reboot the system and check the status of iptables.service and ip6tables.service:

    # systemctl status ip6tables
    ● ip6tables.service - IPv6 firewall with ip6tables
       Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Thu 2017-08-03 18:36:01 IST; 1min 32s ago
      Process: 546 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=1/FAILURE)
     Main PID: 546 (code=exited, status=1/FAILURE)
    
    Aug 03 18:36:01 HOSTNAME systemd[1]: Starting IPv6 firewall with ip6tables...
    Aug 03 18:36:01 HOSTNAME ip6tables.init[546]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
    Aug 03 18:36:01 HOSTNAME ip6tables.init[546]: [FAILED]
    Aug 03 18:36:01 HOSTNAME systemd[1]: ip6tables.service: main process exited, code=exited, status=1/FAILURE
    Aug 03 18:36:01 HOSTNAME systemd[1]: Failed to start IPv6 firewall with ip6tables.
    Aug 03 18:36:01 HOSTNAME systemd[1]: Unit ip6tables.service entered failed state.
    Aug 03 18:36:01 HOSTNAME systemd[1]: ip6tables.service failed.
    
    # systemctl status iptables
    ● iptables.service - IPv4 firewall with iptables
       Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Thu 2017-08-03 18:28:58 IST; 1min 53s ago
      Process: 549 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
     Main PID: 549 (code=exited, status=1/FAILURE)
    
    Aug 03 18:28:58 HOSTNAME systemd[1]: Starting IPv4 firewall with iptables...
    Aug 03 18:28:58 HOSTNAME iptables.init[549]: iptables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
    Aug 03 18:28:58 HOSTNAME iptables.init[549]: [FAILED]
    Aug 03 18:28:58 HOSTNAME systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
    Aug 03 18:28:58 HOSTNAME systemd[1]: Failed to start IPv4 firewall with iptables.
    Aug 03 18:28:58 HOSTNAME systemd[1]: Unit iptables.service entered failed state.
    Aug 03 18:28:58 HOSTNAME systemd[1]: iptables.service failed.
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

5 Comments

We are trying this workaround: Copy the ip6tables.service unit file to /etc/systemd/system, and add "After=iptables.service" to the Unit section.

Instead of copying the entire unit file, you can also create and place a file in "/etc/systemd/system/ip6tables.service.d" with just the extra:

# /etc/systemd/system/ip6tables.service.d/after-iptables.conf
[Unit]
After=iptables.service

Hi AJ,

I have updated the article.!

Thanks

I don't agree with the iptables-save workaround. This will overwrite any saved firewall configuration with the currently loaded config. Considering it is a randomisation as to if iptables.service or ip6tables.service fails, trying to do a workaround based on only iptables (ipv4) won't work.

The correct solution is present in the errata, or via the workaround using 'systemctl edit ip6tables.service' and adding the After text as specified in other comments here.

Hi Steven, You can update the iptables to iptables-1.4.21-18.2.el7_4.x86_64 to resolve the issue like mentioned in the article. I have updated the article.