Can't initialize iptables table `nat'

I'm trying to use iptables nat rules but getting

root@OpenWrt:/tmp# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.8.7 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
root@OpenWrt:/tmp# iptables -t nat -L
iptables v1.8.7 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I've added various modules when building but not sure if i have the right one?

iptables-zz-legacy
kmod-ipt-nat                                                                                                                                       kmod-ipt-nat-extra
iptables-mod-conntrack-extra
iptables-mod-extra
root@OpenWrt:/tmp# insmod ipt-nat
Failed to find ipt-nat. Maybe it is a built in module ?
root@OpenWrt:/tmp# lsmod |grep nat
nf_conntrack           81920 16 xt_connlimit,nf_conncount,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_CT,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table,nf_conntrack_netlink
nf_nat                 32768  4 nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_tables             163840193 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_chain_nat
nft_chain_nat          16384  2
nft_nat                16384  0
root@OpenWrt:/tmp# lsmod |grep iptable
ip_tables              20480  3 iptable_raw,iptable_mangle,iptable_filter
iptable_filter         16384  0
iptable_mangle         16384  0
iptable_raw            16384  0
x_tables               24576 37 xt_connlimit,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_CT,iptable_raw,iptable_mangle,iptable_filter,ipt_REJECT,ipt_ECN,ip_tables,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_recent,xt_quota,xt_pkttype,xt_owner,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_ecn,xt_dscp,xt_comment,xt_cgroup,xt_addrtype,xt_TCPMSS,xt_LOG,xt_HL,xt_DSCP,xt_CLASSIFY

I don't see the iptable_nat module loaded here.

It should be part of

Try

modinfo iptable_nat; modprobe iptable_nat

Remove iptables-zz-legacy and install iptables-nft

1 Like

OMG, it's working! I've searched for many days, thank you so much.

1 Like

You should really be using nftables directly for everything, rather than iptables-nft which is more of a workaround for legacy packages that are no longer maintained so have not been migrated to nft.

If it works for you right now then great, but it could well cause problems at some time in the future.

Indeed, dockerd still can't run.

failed to start daemon: Error initializing network controller: error creating default "bridge" network: Failed to Setup IP tables: Unable to enable NAT rule:  (iptables failed: iptables --wait -t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.8 (nf_tables):  RULE_INSERT failed (No such file or directory): rule in chain POSTROUTING
 (exit status 4))

And my firewall seems can't run properly neither, I don't know if they are related.

Now you see the rabbit hole :flushed:

You will probably have to create the POSTROUTING chain manually (and many other previously "things" previously created by default....)

Very much so. The OpenWrt firewall uses nftables exclusively. If you have your "own firewall" using iptables, it will only take effect after the OpenWrt firewall has done its thing, if at all, depending on what you were trying to do.

I purchased a domain and attempted to access my home server from the external network. However, currently, it is only accessible through the internal network. I also tried to migrate RSS services to openwrt, but neither docker nor podman works. :rofl:

That is a pretty standard thing to do, have you searched the forum for "remote access to myhome server"?

I would suggest opening a new thread for it.

That is a completely different topic and you should also open another thread for that - someone has probably done it, or at least tried.

Maybe I should update to official compiled firmware via this. Will that be an convenient solution?

Will that overwrite the software I installed?

Please open new threads for all these new topics...

I've read some tutorials, but nothing helped.

I'm just going to do that and when I tried to search, I met you. :grinning:

Here :smiley_cat:

Since there is a new topic opened, and critically the firmware in use here is not the official OpenWrt (rather some random fork of it), I will be closing this thread.

1 Like