Articles

Fix iptables-restore Line Parsing Failures (2026)

April 18, 2026 5 min read

iptables-restore is failing because the input file contains syntax errors that the iptables parser cannot understand.

Common Causes and Fixes:

  1. Incorrect Protocol Specification:

    • Diagnosis: Look for lines where iptables commands specify a protocol but it’s misspelled or not a valid protocol (e.g., tcpd instead of tcp).
    • Fix: Correct the protocol name. For instance, if you see iptables -A INPUT -p tcpd -j ACCEPT, change it to iptables -A INPUT -p tcp -j ACCEPT. This works because iptables expects standard network protocols like tcp, udp, icmp, udplite, raw, mpegts, route, all, etc.
    • Command Example:
      grep -i "p tcpd" /etc/sysconfig/iptables

      sed -i 's/p tcpd/p tcp/g' /etc/sysconfig/iptables

  2. Invalid Match Extensions:

    • Diagnosis: iptables uses extensions for more advanced matching (e.g., --dport, --sport, --state, --mac-source). If an extension is used with the wrong protocol or is simply mistyped, iptables-restore will fail. For example, --dport 80 is valid for tcp and udp, but not for icmp.
    • Fix: Ensure the match extension is compatible with the specified protocol. If you see iptables -A INPUT -p icmp --dport 80 -j ACCEPT, change it to iptables -A INPUT -p tcp --dport 80 -j ACCEPT or remove the --dport if it’s not applicable to icmp.
    • Command Example:
      grep "--dport" /etc/sysconfig/iptables | grep -v "p tcp" | grep -v "p udp"

      # Example fix:
sed -i '/-p icmp --dport 80/s/-p icmp/-p tcp/' /etc/sysconfig/iptables

  3. Missing or Incorrect Module Loading:

    • Diagnosis: Some iptables extensions require kernel modules to be loaded. If the module isn’t loaded and the iptables rule attempts to use its functionality, iptables-restore can fail. This is less common with iptables-restore itself failing on parsing but can manifest if the iptables command it’s trying to restore is implicitly dependent on a module that isn’t available and the parser chokes on the invalid syntax it thinks should be there. A more direct cause is mistyping the module name or extension.
    • Fix: Ensure necessary modules are loaded. For example, the state module is often required for --state matching. You can load it manually with modprobe ip_conntrack (or nf_conntrack on newer kernels) and ensure it’s loaded at boot by adding it to /etc/modules-load.d/iptables.conf.
    • Command Example:
      lsmod | grep nf_conntrack

      echo "nf_conntrack" >> /etc/modules-load.d/iptables.conf
systemctl restart iptables # or service iptables restart

  4. Invalid Target Specification:

    • Diagnosis: The TARGET in an iptables rule specifies what to do with matching packets (e.g., ACCEPT, DROP, REJECT, LOG). Typographical errors or using a non-existent target will cause parsing failures.
    • Fix: Correct the target name. For example, change iptables -A INPUT -j ACETP to iptables -A INPUT -j ACCEPT.
    • Command Example:
      grep -vE "ACCEPT|DROP|REJECT|LOG" /etc/sysconfig/iptables | grep -E " -j "

      sed -i 's/ACETP/ACCEPT/g' /etc/sysconfig/iptables

  5. Malformed Rule Syntax (General):

    • Diagnosis: This covers a wide range of issues like missing dashes before options (dport instead of --dport), extra spaces, or incorrect order of options. iptables-restore is quite strict about the command-line syntax of iptables.
    • Fix: Carefully review the line reported in the error message and correct the syntax according to iptables documentation. For instance, a rule like iptables -A INPUT p tcp --dport 22 -j ACCEPT should be iptables -A INPUT -p tcp --dport 22 -j ACCEPT.
    • Command Example:
      # Assuming error points to line 50:
sed -n '50p' /etc/sysconfig/iptables

      # Example fix for missing dash:
sed -i '50s/ p / -p /' /etc/sysconfig/iptables

  6. IPv6 vs. IPv4 Mismatch:

    • Diagnosis: If you are using iptables-restore with an IPv4 ruleset but it’s being run in an environment that expects IPv6 (or vice-versa), or if the ruleset itself contains IPv6-specific syntax (like ip6tables syntax) in an iptables file, it will fail. iptables operates on IPv4, while ip6tables operates on IPv6.
    • Fix: Ensure you are using the correct tool for the job. If your rules are for IPv4, use iptables-restore. If they are for IPv6, use ip6tables-restore. If the file contains a mix or incorrect syntax for the intended protocol, edit the file to conform to either iptables or ip6tables syntax exclusively.
    • Command Example:
      # Check if ip6tables rules are in iptables file
grep -E "ipv6|inet6" /etc/sysconfig/iptables

      # If rules are for IPv6, move to ip6tables-restore
# cp /etc/sysconfig/iptables /etc/sysconfig/ip6tables
# systemctl restart ip6tables

  7. Unrecognized Options/Extensions:

    • Diagnosis: Using iptables extensions that are not part of the currently installed iptables package or are not loaded as modules. This can happen if you copy rules from a system with a different iptables version or custom modules.
    • Fix: Remove the unrecognized options or ensure the corresponding modules are loaded and available. For example, if you see a rule using --nfv9-log and that extension isn’t available, remove that part of the rule.
    • Command Example:
      # Check for potentially unknown options (examples)
grep "--unknown-option" /etc/sysconfig/iptables

      # Remove the offending part of the rule
sed -i 's/ --unknown-option//g' /etc/sysconfig/iptables

After fixing these, the next error you’re likely to encounter is a "DROP target is not valid" if you’ve accidentally removed all valid targets or a "No chain/target/match by that name" if a specific chain or target was misspelled and not caught by the initial parsing.

Want structured learning?

Take the full Iptables course →