Articles

Fix iptables Raw Table Not Available Errors (2026)

April 18, 2026 4 min read

The iptables-restore command is failing because the raw table, a fundamental component for stateful packet inspection, is not being loaded by the kernel.

This typically happens when the iptables modules required for the raw table are not compiled into the kernel or are not loaded as modules. The raw table is essential for certain advanced packet filtering and NAT scenarios because it allows rules to be applied before connection tracking, bypassing stateful inspection and enabling things like marking packets for specific handling before they are considered "tracked."

Here’s a breakdown of common causes and their fixes:

  1. Kernel Module Not Loaded: The iptable_raw module might simply be uncompiled or not loaded.

    • Diagnosis: Check if the module is loaded:
      lsmod | grep iptable_raw
      If no output, it’s not loaded.
    • Fix: Load the module manually:
      sudo modprobe iptable_raw
      To ensure it loads on boot, add iptable_raw to /etc/modules-load.d/iptables.conf (create if it doesn’t exist).
    • Why it works: modprobe loads the kernel module responsible for the raw table’s functionality. Adding it to modules-load.d makes the load persistent across reboots.

  2. Missing Kernel Configuration: The iptable_raw module might not be available in your kernel build at all.

    • Diagnosis: Examine your kernel configuration file (usually /boot/config-$(uname -r) or /proc/config.gz). Look for CONFIG_IP_NF_RAW=m (module) or CONFIG_IP_NF_RAW=y (compiled in). If neither is present, it’s missing.
    • Fix: Recompile your kernel with CONFIG_IP_NF_RAW=m enabled. This is a significant undertaking. Alternatively, if you’re on a distribution that allows custom kernel modules, you might be able to build and load it separately, but this is less common for standard iptables functionality.
    • Why it works: Enabling this configuration option during kernel compilation ensures the kernel has the necessary code to support the raw table.

  3. iptables-restore Trying to Restore a Non-existent Table: You might be running iptables-restore with a configuration that explicitly tries to load rules into the raw table, but the table isn’t available due to the reasons above.

    • Diagnosis: Inspect your iptables-restore input file (e.g., /etc/sysconfig/iptables or /etc/iptables/rules.v4). Look for lines starting with *raw.
    • Fix: If you don’t need the raw table, comment out or remove all sections starting with *raw and ending with COMMIT from your iptables-restore input file. Then run iptables-restore < /path/to/your/iptables/rules.
    • Why it works: This prevents iptables-restore from attempting to configure a table that the kernel doesn’t support, resolving the immediate error.

  4. Incorrect iptables Service Configuration: On systems using systemd or init.d scripts for iptables, the service might be configured to load specific tables that aren’t available.

    • Diagnosis: Check the iptables service unit file (e.g., /etc/systemd/system/iptables.service or /etc/init.d/iptables). Look for commands that invoke iptables-restore and see if they are passing specific table arguments or if the restored ruleset implicitly tries to load raw.
    • Fix: Ensure the iptables service is configured to load only available tables, or that the iptables-restore command is pointed to a ruleset that only uses available tables. If CONFIG_IP_NF_RAW is not enabled, you must remove any *raw sections from your ruleset.
    • Why it works: Aligns the service’s behavior with the actual capabilities of the running kernel.

  5. nf_tables Conflict (Less Common for raw table itself, but worth checking): While nf_tables is the modern replacement for iptables, iptables commands often still work by translating to nf_tables rules. However, if nf_tables is completely replacing the older netfilter infrastructure in a way that doesn’t expose the raw table concept, you could see issues. This is rare for standard iptables usage.

    • Diagnosis: Check if nf_tables is active and what modules are loaded:
      systemctl status nftables
lsmod | grep nf_tables
      Also, check iptables -t raw -L after attempting to load the iptable_raw module. If you see iptables: No chain/table specified or similar, it’s still not available.
    • Fix: If you intend to use nf_tables, you should migrate your rules to nftables syntax. If you intend to use iptables (and its raw table), ensure nftables is disabled (systemctl stop nftables, systemctl disable nftables) and that the legacy iptables-legacy or iptables-nft packages are correctly installed and configured to use the kernel modules. You might need to explicitly force the iptables-nft backend if your distribution defaults to nf_tables for iptables commands:
      sudo update-alternatives --set iptables /usr/sbin/iptables-nft
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
sudo update-alternatives --set iptables-restore /usr/sbin/iptables-restore-nft
sudo update-alternatives --set iptables-save /usr/sbin/iptables-save-nft
    • Why it works: This ensures the iptables command-line tools are correctly configured to interact with either the legacy netfilter modules or the nf_tables backend, and that the underlying kernel modules for raw (if needed) are loaded.

After resolving the underlying issue, you’ll likely encounter the next common iptables error: iptables: No chain/table specified if your iptables-restore command is trying to load rules for a table that still doesn’t exist or if the rules themselves are malformed.

Want structured learning?

Take the full Iptables course →