Articles

Fix iptables No Chain/Target by That Name Errors (2026)

April 18, 2026 5 min read

The iptables command failed because it tried to reference a chain or target that doesn’t exist in the current firewall configuration. This usually means you’re trying to add a rule that depends on a non-existent jump target or you’re trying to delete a rule that refers to a non-existent chain.

Here are the most common reasons this happens and how to fix them:

  1. Typo in Chain or Target Name: This is the simplest and most frequent culprit. You’ve mistyped the name of a built-in chain (like INPUT, OUTPUT, FORWARD) or a custom chain you previously created.

    • Diagnosis: Carefully review your iptables command for any spelling errors. Compare the name in your command to the expected name.
    • Fix: Correct the typo. For example, if you meant MY_CUSTOM_CHAIN but typed MY_CUSTM_CHAIN, change it to MY_CUSTOM_CHAIN.
    • Why it works: iptables matches names exactly. A single character difference means it’s looking for something that isn’t there.

  2. Custom Chain Not Created Before Use: You’re trying to add a rule that jumps to a custom chain (e.g., iptables -A INPUT -j MY_CHAIN), but you haven’t actually created MY_CHAIN yet.

    • Diagnosis: List your current chains with iptables -L --line-numbers. If your custom chain isn’t listed, it doesn’t exist.
    • Fix: Create the custom chain first. For example:
      iptables -N MY_CHAIN
      Then, add your rule that jumps to it:
      iptables -A INPUT -j MY_CHAIN
    • Why it works: The -N command explicitly tells iptables to create a new, empty chain. Without this, the jump target for MY_CHAIN is undefined.

  3. Attempting to Delete a Non-Existent Chain: You’re trying to remove a custom chain that has already been deleted or never existed in the first place.

    • Diagnosis: Use iptables -L --line-numbers to see if the chain you’re trying to delete is present.
    • Fix: If the chain is not listed, don’t try to delete it. If it is listed, ensure you’re using the correct name and that the chain is empty (you can’t delete a chain with rules in it without flushing it first). To delete an empty chain:
      iptables -X MY_CHAIN
      If it’s not empty, you’ll need to remove its rules first or flush the chain:
      iptables -F MY_CHAIN
iptables -X MY_CHAIN
    • Why it works: The -X command removes a custom chain. iptables will error if the chain doesn’t exist or if it still contains rules.

  4. Using a Target That Requires a Specific Module Not Loaded: You’re using a custom target (often defined by an iptables extension module) that isn’t available or loaded in your kernel. Built-in targets like ACCEPT, DROP, REJECT are always present. However, targets provided by extensions (e.g., NFLOG, CHECKSUM) might not be.

    • Diagnosis: Try to list all available targets with iptables --list-targets. If the target you’re using isn’t in the output, it’s not recognized.
    • Fix: Load the necessary kernel module. For example, if you’re trying to use NFLOG:
      sudo modprobe nf_log_ipv4
      Then, retry your iptables command.
    • Why it works: iptables targets are implemented as kernel modules. If the module providing the target isn’t loaded, the target name is unknown to the kernel.

  5. Rules Exist in iptables-restore But Not in Live Configuration: You’re using iptables-restore to load a saved ruleset, but the save file contains references to chains or targets that are not present in the currently running iptables configuration. This can happen if you’ve manually modified the running ruleset between saving and restoring, or if the save file is from a different system/configuration.

    • Diagnosis: Compare the output of iptables -L -n (live rules) with the contents of your save file (e.g., iptables-save). Look for chains or targets in the save file that are missing from the live output.
    • Fix: Ensure the save file is consistent with your expected live configuration. If you intend to restore a full ruleset, make sure any custom chains referenced in the save file are also present and created before you run iptables-restore. Alternatively, if you’re only restoring specific rules, ensure the chains they jump to already exist. A common fix is to create the necessary chains first:
      iptables -N MY_CHAIN_FROM_SAVE
# ... potentially other chains ...
iptables-restore < your_save_file.rules
    • Why it works: iptables-restore applies the rules as written. If it encounters a jump to MY_CHAIN_FROM_SAVE but MY_CHAIN_FROM_SAVE has not been defined via iptables -N or iptables-restore previously, it will error.

  6. Using iptables commands on the Wrong Network Stack (IPv4 vs. IPv6): You might be running ip6tables commands but trying to use an IPv4-only target, or vice-versa. Most custom targets are specific to one protocol family.

    • Diagnosis: Check if you’re using iptables (for IPv4) or ip6tables (for IPv6). Then, verify that the target you’re using is compatible with the protocol family of the iptables command you invoked.
    • Fix: Use the correct command for the protocol. If you need a target that works for both, you might need separate rulesets or a target that supports both. For example, if NFLOG is needed for IPv4 and NFCT for IPv6, you’d use iptables for the former and ip6tables for the latter.
    • Why it works: iptables and ip6tables manage separate firewall tables for IPv4 and IPv6 traffic, respectively. Targets are often implemented in specific kernel modules tied to one protocol.

The next error you’ll likely encounter after fixing these is related to rule syntax, such as incorrect parameter parsing for a specific match or target.

Want structured learning?

Take the full Iptables course →