Why ipset module fails to load with iptables service during boot or when restarting the iptables service in RHEL 6?
Environment
- Red Hat Enterprise Linux (RHEL) 6
- ipset.
- iptables.
Issue
ipset
module not loaded on system boot.iptables
is failing to start with error "Kernel module ip_set is not loaded in."
# /etc/init.d/iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore v1.4.7: Kernel module ip_set is not loaded in.
[FAILED]
Resolution
-
It is an expected behaviour for the
iptables
service to fail when an undefinedipset
is used withiptables
rules. -
If
ipset
is used make sure thatetc/sysconfig/ipset
is not empty. But Ifipset
is not used then remove the--match set
option in theiptables
rules.
Root Cause
The use of an undefined ipset
in the iptables
rule set is an issue, which prevents to apply the rule set. The failure intends to warn/alert admins about blank rule sets. Every error in the rule set has this effect. This is expected behaviour.
Diagnostic Steps
-
Create an
ipset with no set rules defined and use in the
iptables` rule:-
Create a rule set with
ipset
:# ipset create ip-blacklist hash:ip timeout 7200 # ipset list Name: ip-blacklist Type: hash:ip
-
Add the rule set with
--match-set
option iniptables
:# iptables -I INPUT 4 -m set --match-set ip-blacklist src -p tcp --dport 80 -j REJECT # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 552 52734 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ip-blacklist src tcp dpt:80 reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
Save the
iptables
rule:# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] # service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
-
After reboot the
iptables
fails to start and manual restart yields following error:iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: Kernel module ip_set is not loaded in. [FAILED] # service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
-
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments