Command: " iptable -L " is not working

[odoland]

1. Error message when running iptables -L Suggests "kernel needs to be upgraded"

Description/Terminal output & to replicate:

$iptables -L
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded

Next, I checked for iptable_nat:

~$ modinfo iptable_nat
libkmod: ERROR ../libkmod/libkmod.c:556 kmod_search_moddep: could not open moddep file '/lib/modules/3.4.0+/modules.dep.bin'
modinfo: ERROR: Module alias iptable_nat not found.

Tried to depmod:

depmod
depmod: ERROR: could not open directory /lib/modules/3.4.0+: No such file or directory
depmod: FATAL: could not search modules: No such file or directory

3. Windows build:
   Microsoft Windows [Version 10.0.14393]

4. strace of failing command

labyu@DESKTOP-U037B9F:~$ strace iptables -L
execve("/sbin/iptables", ["iptables", "-L"], [/* 15 vars */]) = 0
brk(0)                                  = 0x17a2000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f464c700000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18732, ...}) = 0
mmap(NULL, 18732, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f464c702000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\26\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27392, ...}) = 0
mmap(NULL, 2122536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f464c1f0000
mprotect(0x7f464c1f6000, 2093056, PROT_NONE) = 0
mmap(0x7f464c3f5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f464c3f5000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\27\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31520, ...}) = 0
mmap(NULL, 2126664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f464bfe0000
mprotect(0x7f464bfe6000, 2097152, PROT_NONE) = 0
mmap(0x7f464c1e6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f464c1e6000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libxtables.so.10", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20/\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=47712, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f464c6f0000
mmap(NULL, 2144696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f464bdd0000
mprotect(0x7f464bddb000, 2093056, PROT_NONE) = 0
mmap(0x7f464bfda000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f464bfda000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1840928, ...}) = 0
mmap(NULL, 3949248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f464ba00000
mprotect(0x7f464bbbb000, 2093056, PROT_NONE) = 0
mmap(0x7f464bdba000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ba000) = 0x7f464bdba000
mmap(0x7f464bdc0000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f464bdc0000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14664, ...}) = 0
mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f464b7f0000
mprotect(0x7f464b7f3000, 2093056, PROT_NONE) = 0
mmap(0x7f464b9f2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f464b9f2000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f464c6e0000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f464c6d0000
arch_prctl(ARCH_SET_FS, 0x7f464c6d0740) = 0
mprotect(0x7f464bdba000, 16384, PROT_READ) = 0
mprotect(0x7f464b9f2000, 4096, PROT_READ) = 0
mprotect(0x7f464bfda000, 4096, PROT_READ) = 0
mprotect(0x7f464c1e6000, 4096, PROT_READ) = 0
mprotect(0x7f464c3f5000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ)     = 0
mprotect(0x7f464c622000, 4096, PROT_READ) = 0
munmap(0x7f464c702000, 18732)           = 0
socket(PF_LOCAL, SOCK_STREAM, 0)        = 3
bind(3, {sa_family=AF_LOCAL, sun_path=@"xtables"}, 10) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)
lstat("/proc/net/ip_tables_names", 0x7fffed698ab0) = -1 ENOENT (No such file or directory)
open("/proc/sys/kernel/modprobe", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "iptables v1.4.21: ", 18iptables v1.4.21: )      = 18
write(2, "can't initialize iptables table "..., 87can't initialize iptables table `filter': Table does not exist (do you need to insmod?)) = 87
write(2, "\n", 1
)                       = 1
write(2, "Perhaps iptables or your kernel "..., 54Perhaps iptables or your kernel needs to be upgraded.
) = 54
exit_group(3)                           = ?
+++ exited with 3 +++

[stehufntdev]

Thanks for reporting the issue. WSL does not currently support the kernel interfaces Linux iptables. Please give us feedback on the user voice page so we can prioritize the scenario - https://wpdev.uservoice.com/forums/266908-command-prompt-console-bash-on-ubuntu-on-windo.

[odoland]

Here is the user voice page for supporting iptables, ifconfig and others!

https://wpdev.uservoice.com/forums/266908-command-prompt-console-bash-on-ubuntu-on-windo/suggestions/15202875-would-you-like-to-support-ifconfig-iw-iwconfig-t

[iz0eyj]

I think that WSL still need alot of work on network

[sunilmut]

The original use voice page referred to in this post was for ifconfig. If you would like to see better support for Linux iptables in WSL, please open a new issue.

[ghost]

Just confirming this is still an issue.

Edit: Have submitted it on Uservoice -> https://wpdev.uservoice.com/forums/266908-command-prompt-console-bash-on-ubuntu-on-windo/suggestions/32025199-support-iptables

[Brian-Perkins]

In FCU there is mostly stubbed iptables support (i.e. most things you try to do with it probably won't work). The problem with iptables -L is that it tries to open a RAW socket, which currently requires running elevated as well as root/sudo inside of WSL.

socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted)

[tara-raj]

To use iptables -L you need to run sudo and an elevated instance. We currently have support for portions of iptable, but not all option flags. Please upvote the user voice ask for additional iptable support.

[WSLUser]

To use iptables -L you need to run sudo and an elevated instance. We currently have support for portions of iptable, but not all option flags.

@tara-raj Could you list what iptable options are available? Looking forward to seeing it fully implemented!

[fruch]

seems like --jump -j isn't working.

root@LAPTOP-T8AF0OPL:~/compose# iptables --wait -t nat -I POSTROUTING -s 172.18.0.0/16 ! -o br-edc3bcc66c59 -j MASQUERADE
iptables: No chain/target/match by that name.

[WSLUser]

@therealkenc Since native nmap now works, can you see if more iptables option flags work for you as well?

[therealkenc]

Wouldn't help. Mucking with iptables (filter rules, nat, and the like) is very different surface than doing a port scan.

[jianchengwang]

docker service cant start in wsl, i dont know if or not this key to cause.here is my failed msg
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (legacy): can't initialize iptables table nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)
`

[leonardo-machado]

docker service cant start in wsl, i dont know if or not this key to cause.here is my failed msg
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (legacy): can't initialize iptables table nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)
`

I have the same problem!

[reduardo7]

/reopen

[13567436138]

is iptables ok now

[13567436138]

/reopen

[fsackur]

@jianchengwang

This suggests that you can get it working with an old version of docker (17.09):

https://medium.com/faun/docker-running-seamlessly-in-windows-subsystem-linux-6ef8412377aa

@leonardo-machado It's not actually helpful to comment just to say "me too" - instead, add a +1 to the existing comment, as others have done. You can do that by clicking on the thumbs-up emoji.

[FireGhost]

docker service cant start in wsl, i dont know if or not this key to cause.here is my failed msg
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (legacy): can't initialize iptables table nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)
`

I have the same problem!

You can set in your /etc/docker/daemon.json file:

{
  "iptables":false
}

Then restart the service 👌

[noramb]

@Filipdominik , that request is obsolete. WSL2 is already available on the Insiders builds and supports iptables, ifconfig, etc etc.

Funny, cause it definitely still doesn't work on Ubuntu 16.04 WSL2 date 3.25.2020. Could you please clarify how to fix this issue?

[therealkenc]

The OP was:

$iptables -L
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded

On WSL2:

This submission was tagged fixed-in-wsl2 because the OP fail no longer manifests in WSL2. If there are "aint working" scenarios, folks should feel encouraged to submit a new issue under a new cover, following the template (in particular copy-and-pasteable repro steps).

Keep in mind that you are operating on a virtual network in a VM, which is not the same as operating on your Windows network. Because WSL2 is a Real Linux Kernel, identifying an actual diverge from Linux behavior might be more difficult than it appears. Or it might not, no prejudice. Bonne chance.

[celinhoBruxo]

docker service cant start in wsl, i dont know if or not this key to cause.here is my failed msg
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (legacy): can't initialize iptables table nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)
`

I have the same problem!

Try you start the Ubuntu on Windows as Administrator.

[ngfchristian]

This is still an issue. does that mean that we cannot WSL?

[cypherstream]

Still an issue in WSL2 - Ubuntu 20.04 LTS on Windows 10 2004

root@Rockheart:/home/# sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
Could not open socket to kernel: Permission denied
root@Rockheart:/home/# sudo iptables -L
iptables v1.8.4 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

[benhillis]

@cypherstream - are you certain you are using WSL2? What is the output of uname -a?

[cypherstream]

Well I upgraded to Win 10 Build 2004 which in the Windows 10 release notes state its WSL2. Then I enabled the Windows Subsystem for Linux and rebooted after it was done. Then in the Windows Store I installed Ubuntu 20.04 LTS.

uname -a
Linux Rockheart 4.4.0-19041-Microsoft #1-Microsoft Fri Dec 06 14:06:00 PST 2019 x86_64 x86_64 x86_64 GNU/Linux

[WSLUser]

You also have to install the virtual machine platform feature for wsl2

[cypherstream]

You also have to install the virtual machine platform feature for wsl2

Ah thanks, I was naive in thinking one of those big box sites like neowin, zdnet, etc.. that simply state WSL2 as a new bullet point under the whats new in Windows 10 2004 meant it was automatically updated.

now uname -a
Linux Rockheart 4.19.84-microsoft-standard #1 SMP Wed Nov 13 11:44:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I can't wait for USB device support in the future to start building some software defined radio tools.

[whizsid]

I can not start the docker daemon. Because of the iptables.

whizsid@LAPTOP-JFD40N70:~/$ sudo iptables -t nat -N DOCKER
iptables v1.8.2 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

[ledangdung]

docker service cant start in wsl, i dont know if or not this key to cause.here is my failed msg
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (legacy): can't initialize iptables table nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
(exit status 3)
`

I have the same problem!

Try you start the Ubuntu on Windows as Administrator.

I have the same issued and it's work for me on WSL 1, because when i using the WSL2, the IP address of the window and WSL is not the same and i can not connect through localhost or the localhost ip address. This work for me ♥

[ericzli]

Still an issue in WSL2 - Ubuntu 16(or 18) on Windows 10. So dockerd failed to run.

$ sudo iptables -L
iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

[therealkenc]

So dockerd failed to run

Discussion here. Ref #6044.

[jchavezb-37]

Please do the follow steps:

1.- Open a CMD console with administrator privileges (Very important)
2.- execute bash command (this will open the WLS environment)
3.- Then execute service docker start in the console

Done.
:)

[Pure-Peace]

Please do the follow steps:

1.- Open a CMD console with administrator privileges (Very important) 2.- execute bash command (this will open the WLS environment) 3.- Then execute service docker start in the console

Done. :)

Thank you so much

[Samuellucas97]

Please do the follow steps:

1.- Open a CMD console with administrator privileges (Very important) 2.- execute bash command (this will open the WLS environment) 3.- Then execute service docker start in the console

Done. :)

I'm so grateful dude . Thanks a lot 😁! I spend much time trying to solve this problem.

[Capataloutchoupika]

Any workaround to use docker on WSL2 without UAC Account ?

[tonyplee]

--------------- I got it working by following in power shell
wsl -l -v
NAME STATE VERSION

• Ubuntu-18.04 Stopped 1
  Ubuntu-20.04 Stopped 1

wsl --set-version Ubuntu-20.04 2

wsl -l -v
NAME STATE VERSION

• Ubuntu-18.04 Stopped 1
  Ubuntu-20.04 Stopped 2

----------------- at this point, I start ubuntu 20.04 iptables -L is working for me now and so is dockerd.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

[jlearman]

Please do the follow steps:

1.- Open a CMD console with administrator privileges (Very important) 2.- execute bash command (this will open the WLS environment) 3.- Then execute service docker start in the console

Done. :)

jlearman:system32$ service docker start
Redirecting to /bin/systemctl start docker.service
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

(So I start docker daemon manually. That fails unless I disable iptables, which I need.)

jlearman:~$ uname -a
Linux LAPTOP-CTL8NA7S 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

jlearman:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Warning: iptables-legacy tables present, use iptables-legacy to see them

[vishalmohakar]

launch ubuntu.exe as administrator. everything will work.

[Lafifi-24]

launch ubuntu.exe as administrator. everything will work.

I had the same issue(iptables not work) .and it is work when you launch ubuntu as administrator.

[ShitalBorganve]

yes this is still an issue with wsl even in Ubuntu 4.4.0-19041-Microsoft.
iptables does not work yet, intern issue with docker engine to run on wsl

[lwaggonerExpedia]

I tried as admin but eventually used this: sudo update-alternatives --set iptables /usr/sbin/iptables-legacy and then it worked (was trying to do this with sshuttle though). Not sure if that matters. Locally I was able to run some of the other commands like iptables -vnL - so perhaps this is a different error. Fact is I was able to get it to work.

# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain OUTPUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-12300'] returned 1
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-12300'] returned 1
fw: fatal: fw: ['iptables', '-t', 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-12300'] returned 4
c : fatal: cleanup: ['/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/python3', '/usr/bin/sshuttle', '--method', 'auto', '--firewall'] returned 99```