Fixing iptables Service Restart Errors: security raw nat mangle fi[FAILED] and ip_conntrack_netbios_n[FAILED]

Problem Description

When restarting the iptables service, the console displays the following error:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]

This indicates failures when setting default chain policies and loading additional modules.

Solution 1: Fix "Setting chains to policy ACCEPT" Failure

This error is often related to compatibility issues between specific kernel versions and the iptables init script. The following method may work on some older systems, but upgrading the system or kernel is the most reliable solution.

1. Back up and patch the iptables init script:

cd /etc/init.d/
cp iptables ~/iptables.backup
wget -O iptables.patch http://bpaste.net/raw/47952/

Note: If the download link fails or shows certificate errors, try:

wget --no-check-certificate -O iptables.patch http://bpaste.net/raw/47952/

2. Apply the patch:

patch -p1 < iptables.patch

If prompted for a file, specify /etc/init.d/iptables.

3. Clean up:

rm iptables.patch

Important: The patch link (bpaste.net/raw/47952) may be outdated. If patching fails, consider upgrading your system or switching to a modern firewall solution like firewalld or nftables.

Solution 2: Fix "Loading additional iptables modules" Failure

This error occurs because the system tries to load a deprecated or missing kernel module: ip_conntrack_netbios_ns.

1. Edit the iptables configuration file:

vi /etc/sysconfig/iptables-config

2. Find and comment out the line loading this module. The configuration typically looks like:

# Load additional iptables modules (space separated).
# Example: IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_irc"
IPTABLES_MODULES="ip_conntrack_netbios_ns"

Change it to:

# Load additional iptables modules (space separated).
# Example: IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_irc"
# IPTABLES_MODULES="ip_conntrack_netbios_ns"

3. Save and exit (in vi, press Esc, type :wq, then press Enter).

Final Steps

After making the changes, restart the iptables service:

service iptables restart

Or, on systems with Systemd:

systemctl restart iptables

Summary and Recommendations

These solutions target older Linux distributions (e.g., CentOS 6/RHEL 6). For modern systems:

• CentOS 7/RHEL 7 and later use firewalld by default.
• Consider migrating to nftables (the successor to iptables).
• If problems persist, upgrading the kernel or switching to a newer distribution may be the most effective solution.