iptables/1.8.2 Failed to initialize nft: Protocol not supported

Question

I'm having a problem using iptables on my Raspberry PI.
I've just downloaded a fresh version of Raspbian Lite on my PI and all I'm trying to do is check my iptables rules but it's not working and I'm getting this error:
>> iptables -L
iptables/1.8.2 Failed to initialize nft: Protocol not supported
I don't know what to do? could I go back to an older version of iptables or something?
Bare in mind I'm a real beginner in the IT world.

Answer 1

The solution is here: You need to reboot after a kernel upgrade. The easiest way is of course:

# as root
reboot

Answer 2

Raspbian certainly followed its Debian upstream there: by default the newer iptables userland tools are using the nftables kernel API instead of the "legacy" iptables kernel API, as told here:

Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

nftables is aiming at completely replacing iptables with extended features, but has a quite different implementation. A compatibility layer will be kept anyway, mostly in the userland tools, but partially in the kernel. This is in addition of the usual iptables "legacy" layer which will still be in the kernel for a long time.

The newer version of iptables is using this compatibility layer. This can be easily verified by running (as root) iptables -V. Result will most certainly be:

# iptables -V
iptables v1.8.2 (nf_tables)

While the legacy version is still shipped:

# iptables-legacy -V
iptables v1.8.2 (legacy)

At the same time I guess your kernel doesn't support nftables for whatever reason.

So you can:

• get support for nftables in the kernel (and probably also at least NFT_COMPAT). Might require recompiling it or upgrading it in case you kept an older one. If this task requires too much effort, you can use the other alternative,

• or use legacy version of iptables which will use the usual iptables kernel API. The previous link explains how to do it. As root user do (at least for iptables and ip6tables, and maybe for ebtables and arptables if installed):

  Switching to the legacy version:

  # update-alternatives --set iptables /usr/sbin/iptables-legacy
  # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
  # update-alternatives --set arptables /usr/sbin/arptables-legacy
  # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
  

Answer 3

My errors looked like this:

docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

And if you look in sudo cat /var/log/docker.log you find

Running iptables --wait -t nat -L -n failed with message: `iptables/1.8.7 Failed to initialize nft: Protocol not supported`, error: exit status 1

docker install on WSL2

I got these same errors. The fix I found came from here:

https://dev.to/felipecrs/simply-run-docker-on-wsl2-3o8

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy

Hope that helps.

Answer 4

In my case, the error occurred because I was running wsl version 1 intead of 2

To update wsl to version 2, run wsl --set-version <distro name> 2 replacing with the name of the Linux distribution that you want to update.

For example, wsl --set-version Ubuntu-18.04 2 will set your Ubuntu 18.04 distribution to use WSL 2

Answer 5

I was trying to install Docker using their convenience script and when the Docker engine tried to configure iptables it hit me with the same error. This only occured on my old Raspberry Pi B+ Rev 1.2, not on the Raspi 3 B Rev 1.2. The former runs 5.4.51-v7+ whilst the latter run 5.4.51+ and both should be fully up to date, kernel-wise.

To fix that install issue, I ran the update-alternatives commands from @A.B response and this fixed sudo iptables -V from displaying iptables/1.8.2 Failed to initialize nft: Protocol not supported to iptables v1.8.2 (legacy).

However, when trying to run Docker's iptables command after that:

$ sudo iptables --wait -t nat -L -n
iptables v1.8.2 (legacy): can't initialize iptables table `nat': 
Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Now, the way to fix that was to enable that iptable "legacy" layer @A.B was talking about like so (answer from @conrad):

sudo su -
modprobe ip_tables
echo 'ip_tables' >> /etc/modules
exit

After rebooting to reload the kernel modules, I checked if the docker systemd service started using sudo systemctl status docker and it was running properly.