iptables stopped working with “Couldn't load match `state':No such file or directory”

This rule

-A INPUT  -i eth0  -p tcp -s -m state --state NEW,ESTABLISHED --dport 17828 -j ACCEPT

used to work just fine until recently on my iptables, but now seems to fail with the following message:

iptables-restore v1.8.2 (nf_tables): Couldn't load match `state':No such file or directory

Might this be due to a system update? I can’t figure out the issue here. Thanks!

Asked By: DrManhattan


Yes, it might be due to a system update — iptables is being replaced by nftables, and the version of iptables-restore that you’re running is using nftables. You should run iptables-legacy-restore instead.

In the long term, it’s better to migrate to nftables, because iptables is going to get deprecated and removed from distributions at some point. Try iptables-translate, it can help you with the bulk of the transition.

Answered By: Alexander Batischev

state is deprecated, use

-m conntrack --ctstate ESTABLISHED,RELATED

instead of

-m state --state ESTABLISHED,RELATED
Answered By: admin

I fixed this issue by sudo modprobe ipt_owner.

Answered By: mythsman

I got this error after blacklisting kernel module x_tables, while still using iptables-nft. I thought iptables-nft would only need kernel module nf_tables, but it seems that it also depends on x_tables to recognize the matchnames (e.g. -m state, -m limit). From lsmod without blacklisting:

Module                  Size  Used by
x_tables               53248  4 xt_conntrack,nft_compat,xt_state,ip_tables

So, check if you did not blacklist kernel module x_tables, in one of the files in /etc/modprobe.d/ for example.

Blacklisting ip_tables instead was no problem.

Versions: Debian 11.5, linux 5.10.149-2, iptables 1.8.7-1, nftables 0.9.8-3.1+deb11u1.

Answered By: Peter Nowee
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.