Articles

Fix iptables recent Module Not Found Errors (2026)

April 18, 2026 4 min read

The iptables service is failing to start because a required kernel module for a specific iptables extension is not loaded.

Common Causes and Fixes

  1. Missing xt_recent module:

    • Diagnosis: Run sudo iptables -m recent -h. If you see an error like iptables: No chain/target/match by that name, and sudo modprobe xt_recent also fails with modprobe: FATAL: Module xt_recent not found., this is your culprit.
    • Fix: Load the module manually: sudo modprobe xt_recent.
    • Why it works: This command tells the Linux kernel to load the xt_recent module, which provides the recent match functionality to iptables. This module is often compiled as a loadable module rather than built directly into the kernel.
    • Persistence: To ensure it loads on boot, add xt_recent to /etc/modules-load.d/iptables.conf (create the file if it doesn’t exist).

  2. Missing xt_set module (for set match):

    • Diagnosis: If your iptables rules use the set match (e.g., -m set --match-set my_set src), and you’re getting the "Module Not Found" error, check if xt_set is loaded: sudo iptables -m set -h.
    • Fix: Load the module: sudo modprobe xt_set.
    • Why it works: The xt_set module is required for iptables to use the powerful set match, which allows matching against lists of IP addresses or ports defined in kernel-level sets.
    • Persistence: Add xt_set to /etc/modules-load.d/iptables.conf.

  3. Missing xt_multiport module (for multiport match):

    • Diagnosis: Rules using -m multiport --port 80,443 will fail if xt_multiport is not present. Verify with sudo iptables -m multiport -h.
    • Fix: Load the module: sudo modprobe xt_multiport.
    • Why it works: This module extends iptables to match against multiple ports in a single rule, making firewall configurations more concise.
    • Persistence: Add xt_multiport to /etc/modules-load.d/iptables.conf.

  4. Kernel Module Not Built/Installed:

    • Diagnosis: If sudo modprobe <module_name> consistently fails with "not found" and you’ve confirmed the module should exist for your kernel version (e.g., xt_recent is standard), it’s possible the kernel headers or the kernel itself is incomplete or misconfigured. Check your distribution’s package manager for kernel-related modules. For example, on Debian/Ubuntu, you might look for linux-modules-extra-$(uname -r). On RHEL/CentOS, it’s often part of kernel-modules.
    • Fix: Install the appropriate kernel module package for your running kernel. For example, on Ubuntu: sudo apt update && sudo apt install linux-modules-extra-$(uname -r). On CentOS/RHEL: sudo yum update && sudo yum install kernel-modules.
    • Why it works: This ensures that all necessary kernel modules, including those used by iptables extensions, are actually present and available for loading by the kernel.

  5. Outdated iptables Package:

    • Diagnosis: While less common for standard modules, an extremely old iptables userspace package might not correctly recognize or request newer modules, or it might be trying to load modules that are no longer supported by your current kernel. Check your iptables version: iptables --version.
    • Fix: Update your iptables package to the latest version available for your distribution. On Debian/Ubuntu: sudo apt update && sudo apt upgrade iptables. On CentOS/RHEL: sudo yum update iptables.
    • Why it works: Newer iptables versions are tested against current kernel APIs and are more likely to correctly identify and load the necessary modules.

  6. Incorrect Kernel Configuration:

    • Diagnosis: If you’ve manually compiled your kernel or are running a highly customized one, it’s possible that the netfilter modules required for iptables extensions were not enabled during the kernel build configuration. You would need to re-examine your kernel .config file (often found at /boot/config-$(uname -r)). Look for options like CONFIG_NETFILTER_XT_MATCH_RECENT, CONFIG_NETFILTER_XT_MATCH_SET, etc., and ensure they are set to m (for module) or y (built-in).
    • Fix: Reconfigure and recompile your kernel with the necessary Netfilter options enabled. This is an advanced procedure and generally not recommended unless you have a specific need for a custom kernel.
    • Why it works: This directly addresses the root cause if the modules were never compiled into the kernel or made available as loadable modules in the first place.

After applying one or more of these fixes and ensuring the relevant modules are loaded (either manually or via modules-load.d), you should be able to start the iptables service: sudo systemctl start iptables or sudo service iptables start.

The next error you’ll likely hit is a SYSLOG or kern.log entry indicating a permission denied error if your iptables rules are trying to write to files or access resources that the iptables process user doesn’t have access to.

Want structured learning?

Take the full Iptables course →