When IPv6 is disabled firewalld shows error "UNKNOWN_ERROR: 'ip6tables' backend does not exist" and all iptables rules are empty

Solution Verified - Updated -

Issue

  • The firewalld service is listed by systemd as being in a normal state but its logging shows errors.

    # systemctl status firewalld --lines 50 -l
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
       Active: active (running) since Wed 2019-08-21 10:35:40 CEST; 3min 16s ago
         Docs: man:firewalld(1)
     Main PID: 2921 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─2921 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
    
    Aug 21 10:35:39 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
    Aug 21 10:35:40 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
    Aug 21 10:35:42 localhost firewalld[2921]: WARNING: ip6tables not usable, disabling IPv6 firewall.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:42 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain
    
                                     Error occurred at line: 2
                                     Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Aug 21 10:35:43 localhost firewalld[2921]: ERROR: UNKNOWN_INTERFACE: 'eth1' is not in any zone
    
  • iptables output shows there are no rules in place even though the firewalld service is listed as running by systemd:

    # iptables -nvxL
    Chain INPUT (policy ACCEPT 346 packets, 27484 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 212 packets, 68927 bytes)
        pkts      bytes target     prot opt in     out     source               destination
    

Environment

  • Red Hat Enterprise Linux 7
  • firewalld-0.6.3-2.el7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In