ufw Error: Couldn't determine iptables version

Question

I am currently working on an automated shell setup script for my Raspberry Pi 4. This includes installing and setting up ufw as my firewall.

However, I'm currently stuck with configuring ufw. My script code looks like this:

sudo apt-get install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw route allow in on wlan0 out on wlan1
sudo ufw enable

The following error message occurs when running the code:

$ Error: Couldn't determine iptables version

Some little research on that error message suggested me to reboot the Pi first after installing ufw and then configure the rules and enable them.

That's indeed an easy approach, but I don't want to create an additional script just for setting up the firewall.

I assume, that ufw just needs a little hint to get the iptables version. Does anybody know how to resolve this error without rebooting?

PS: I already tried sudo update-alternatives --set iptables /usr/sbin/iptables-legacy before adding any rule configuration. This, however, got me the following errors:

Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
WARN: initcaps
[Errno 2] iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Rules updated
Rules updated (v6)
WARN: initcaps
[Errno 2] iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Rules updated
Rules updated (v6)
WARN: initcaps
[Errno 2] iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Rules updated
ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.19.97-v7l+/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/4.19.97-v7l+
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.19.97-v7l+/modules.dep.bin'
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/4.19.97-v7l+
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.19.97-v7l+/modules.dep.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.19.97-v7l+
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 12
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 12
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (legacy): iptables-restore: unable to initialize table 'filter'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Problem loading ipv6 (skipping)
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/user.rules'

Many thanks in advance!

Edit: I managed to get the latest Raspi OS (and not Raspian anymore) image via the new URL https://downloads.raspberrypi.org/raspios_lite_arm64_latest.

Raspberry Pi then comes with kernel version 5.4.51-v8+ (instead of 4.19.97-v7l+).

Still got the problem that it will upgrade to kernel version 5.10.5-v8+. And probably deletes 'the old' modules/5.4.51-v8 directory.

Output from lsmod (after the pi upgraded to kernel 5.10.5-v8+ and rebooted):

Module                  Size  Used by
aes_neon_blk           36864  1
crypto_simd            24576  1 aes_neon_blk
cryptd                 28672  1 crypto_simd
bnep                   28672  2
hci_uart               49152  1
btbcm                  24576  1 hci_uart
bluetooth             438272  24 hci_uart,btbcm,bnep
ecdh_generic           16384  2 bluetooth
ecc                    36864  1 ecdh_generic
xt_MASQUERADE          16384  1
iptable_nat            16384  1
nf_nat                 49152  2 iptable_nat,xt_MASQUERADE
nf_conntrack          139264  2 nf_nat,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
rtl8192cu              86016  0
rtl_usb                24576  1 rtl8192cu
rtl8192c_common        61440  1 rtl8192cu
rtlwifi               118784  3 rtl8192c_common,rtl_usb,rtl8192cu
mac80211              901120  3 rtl_usb,rtl8192cu,rtlwifi
brcmfmac              323584  0
brcmutil               24576  1 brcmfmac
libarc4                16384  1 mac80211
sha256_generic         16384  0
vc4                   270336  0
cec                    53248  1 vc4
cfg80211              860160  3 rtlwifi,brcmfmac,mac80211
drm_kms_helper        245760  2 vc4
v3d                    81920  0
bcm2835_v4l2           45056  0
rfkill                 36864  7 bluetooth,cfg80211
bcm2835_isp            32768  0
bcm2835_codec          49152  0
bcm2835_mmal_vchiq     32768  3 bcm2835_codec,bcm2835_v4l2,bcm2835_isp
gpu_sched              40960  1 v3d
v4l2_mem2mem           45056  1 bcm2835_codec
videobuf2_dma_contig    24576  2 bcm2835_codec,bcm2835_isp
videobuf2_vmalloc      20480  1 bcm2835_v4l2
videobuf2_memops       20480  2 videobuf2_vmalloc,videobuf2_dma_contig
drm                   557056  5 gpu_sched,drm_kms_helper,v3d,vc4
videobuf2_v4l2         32768  4 bcm2835_codec,bcm2835_v4l2,v4l2_mem2mem,bcm2835_isp
videobuf2_common       61440  5 bcm2835_codec,videobuf2_v4l2,bcm2835_v4l2,v4l2_mem2mem,bcm2835_isp
drm_panel_orientation_quirks    20480  1 drm
snd_soc_core          241664  1 vc4
snd_compress           20480  1 snd_soc_core
snd_pcm_dmaengine      20480  1 snd_soc_core
snd_bcm2835            24576  1
vc_sm_cma              40960  2 bcm2835_mmal_vchiq,bcm2835_isp
snd_pcm               126976  5 vc4,snd_bcm2835,snd_compress,snd_soc_core,snd_pcm_dmaengine
videodev              299008  6 bcm2835_codec,videobuf2_v4l2,bcm2835_v4l2,videobuf2_common,v4l2_mem2mem,bcm2835_isp
raspberrypi_hwmon      16384  0
snd_timer              36864  1 snd_pcm
mc                     57344  6 videodev,bcm2835_codec,videobuf2_v4l2,videobuf2_common,v4l2_mem2mem,bcm2835_isp
snd                   102400  7 snd_bcm2835,snd_timer,snd_compress,snd_soc_core,snd_pcm
rpivid_mem             16384  0
syscopyarea            16384  1 drm_kms_helper
sysfillrect            16384  1 drm_kms_helper
sysimgblt              16384  1 drm_kms_helper
fb_sys_fops            16384  1 drm_kms_helper
backlight              20480  1 drm
uio_pdrv_genirq        16384  0
uio                    24576  1 uio_pdrv_genirq
i2c_dev                20480  0
ip_tables              32768  1 iptable_nat
x_tables               45056  2 ip_tables,xt_MASQUERADE
ipv6                  528384  34

That /lib/modules/4.19.97-v7l+/modules.dep.bin can't be read implies 1) At that time, kernel 4.19.97-v7l+ was loaded, which implies the system is out of date, and/or has been up a long time, 2) That the file doesn't exist, which implies that the modules/4.19.97-v7l directory doesn't exist. Currently Raspbian only keeps one kernel -- when it is updated, the old modules directory is deleted... — goldilocks, Jan 19 '21 at 15:55
...Normally on linux kernels and modules aren't deleted right away, ie., you would always have 2-3 previous kernel installed. Not doing that creates a bit of a gotcha -- you can end up with a kernel running whose modules directory is gone. Edit in the output from stat /lib/modules/4.19.97-v7l+ and lsmod. — goldilocks, Jan 19 '21 at 15:56
If you're not running the 5.4.83 kernel then your system is too old to be serviceable. The time to upgrade is now! — Dougie, Jan 19 '21 at 21:19
@goldilocks and @Dougie thank you for your answers! I checked the kernel version of my Raspi and it is 4.19.97-v7l+. That made me wonder as I assumed, I would always download the latest Raspian OS lite image via link. However, they renamed(?) Raspian to Raspi OS and changed the URL. to link Now the image is coming with kernel version 5.4.51-v8+. Still after apt update && apt upgrade it will be upgraded to 5.10.5-v8+ — Pievee, Jan 20 '21 at 09:54
Even if you installed an older image, as long as it is buster/v.10 system updates would have kept the kernel and everything else up to date (changing the name of the OS prior to an actual version change is superficial). However, switching to 64-bit is a change (and I can confirm legacy iptables works there). I'll presume this is no longer a problem. — goldilocks, Jan 20 '21 at 15:11
I'm not sure, but I think this Debian bug is related. If so, it's supposed to be fixed in Debian's ufw package's 0.36-3 version. — Chris Pick, Feb 27 '21 at 20:55

ufw Error: Couldn't determine iptables version

0 Answers0

Linked