Arch Linux

tjay

Member

Registered: 2024-12-14

Posts: 13

[Solved] could not insert 'ip_tables': Operation not permitted

Since kernel version 6.18.2systemd-259-1, I get the error

could not insert 'ip_tables': Operation not permitted

when starting rootless containers. Only by manually loading the module using

modprobe nf_nat

as root I can fix the problem. Is there a specific reason why this is happening?
Could this possibly be related to https://github.com/archlinux/linux/comm … 81b76a7f66  ?

Detailed error message:

Error: netavark: code: 3, msg: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
iptables v1.8.11 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Last edited by tjay (2025-12-21 17:05:38)

gromit

Administrator

From: Germany

Registered: 2024-02-10

Posts: 1,495

Website

Re: [Solved] could not insert 'ip_tables': Operation not permitted

Did you reboot your system after doing a kernel upgrade? Whats the output of "uname -r" versus "pacman -Q linux"?

tjay

Member

Registered: 2024-12-14

Posts: 13

Re: [Solved] could not insert 'ip_tables': Operation not permitted

sure:

pacman -Q linux
linux 6.18.2.arch2-1
journalctl -b -0 -g 'Linux version'
Dez 21 10:59:22 archlinux kernel: Linux version 6.18.2-arch2-1 (linux@archlinux) (gcc (GCC) 15.2.1 20251112, GNU ld (GNU Binutils) 2.45.1) #1 SMP PREEMPT_DYNAMIC Thu, 18 Dec 2025 18:00:18 +0000

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,309

Re: [Solved] could not insert 'ip_tables': Operation not permitted

Sure it's the kernel and not the systemd update?
Do you have the problem w/ the LTS kernel?
Also https://archlinux.org/packages/extra/x86_64/netavark/ got updated 12 days ago, what pot. makes it another contender for the regression?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

tjay

Member

Registered: 2024-12-14

Posts: 13

Re: [Solved] could not insert 'ip_tables': Operation not permitted

Okay, you were right. I downgraded to kernel 6.18.1 and 6.17.9, and the problem was still there. It only worked after downgrading from systemd-259-1 to systemd-258-4.

Can this topic be moved? thx

mgeins

Member

Registered: 2025-12-21

Posts: 5

Re: [Solved] could not insert 'ip_tables': Operation not permitted

wg-quick from wireguard-tools also don't work anymore. You have to run "modprobe ip-tables" but this use the legacy instead of nft.

@mgeins
Try 'modprobe nf_tables'

wg-quick[100]: modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.18.2-arch2-1
wg-quick[99]: iptables-restore v1.8.11 (legacy): iptables-restore: unable to initialize table 'raw'
wg-quick[99]: Error occurred at line: 1
wg-quick[99]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Last edited by mgeins (2025-12-21 15:07:58)

tjay

Member

Registered: 2024-12-14

Posts: 13

Re: [Solved] could not insert 'ip_tables': Operation not permitted

After a little investigation, I found a fix for the problem:

Apparently, the right to use ip_tables is gone with the systemd-259-1 update. According to https://fedoraproject.org/wiki/Changes/ … lesDefault you can set nftables as the default firewall driver for Netavark:

echo $'[network]\nfirewall_driver="nftables"' | sudo tee /etc/containers/containers.conf.d/50-netavark-nftables.conf

Then everything rootless container with netavark working smoothly again

Last edited by tjay (2025-12-21 11:17:24)

xerxes_

Member

Registered: 2018-04-29

Posts: 1,017

Re: [Solved] could not insert 'ip_tables': Operation not permitted

@mgeins
Try 'modprobe nf_tables'

From file /usr/share/doc/systemd/NEWS which is in systemd package:

CHANGES WITH 259:
(...)
* systemd-networkd and systemd-nspawn no longer support creating NAT
          rules via iptables/libiptc APIs; only nftables is now supported.
(...)
CHANGES WITH 258:
(...)
* The legacy iptables support through libiptc will be removed in v259.
          Only nftables backend will be supported by systemd-networkd and
          systemd-nspawn since v259.

mgeins

Member

Registered: 2025-12-21

Posts: 5

Re: [Solved] could not insert 'ip_tables': Operation not permitted

@mgeins
Try 'modprobe nf_tables'

From file /usr/share/doc/systemd/NEWS which is in systemd package:

CHANGES WITH 259:
(...)
* systemd-networkd and systemd-nspawn no longer support creating NAT
          rules via iptables/libiptc APIs; only nftables is now supported.
(...)
CHANGES WITH 258:
(...)
* The legacy iptables support through libiptc will be removed in v259.
          Only nftables backend will be supported by systemd-networkd and
          systemd-nspawn since v259.

Thank you ! that's the best solution then wg-quick work with nft.

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,309

Re: [Solved] could not insert 'ip_tables': Operation not permitted

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

gromit

Administrator

From: Germany

Registered: 2024-02-10

Posts: 1,495

Website

Re: [Solved] could not insert 'ip_tables': Operation not permitted

This has now also been fixed within the package https://gitlab.archlinux.org/archlinux/ … 69023e6dd9 (thanks @dvzrv!)

ThePirate42

Member

Registered: 2020-12-11

Posts: 2

Re: [Solved] could not insert 'ip_tables': Operation not permitted

I updated my system yesterday but I still have this problem, and I can't apply the fix proposed by @tjay because I'm not using Netavark (I'm just using docker rootless directly).

Last edited by ThePirate42 (2026-02-04 17:39:11)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 73,309

Re: [Solved] could not insert 'ip_tables': Operation not permitted

Explicitly "modprobe nf_tables" doesn't work??

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

bzhb

Member

Registered: 2010-11-17

Posts: 34

Re: [Solved] could not insert 'ip_tables': Operation not permitted

I also had the issue with docker rootless on latest version 6.18.9-arch1-2.

I could circumvent the issue with:

# modprobe nf_nat
# modprobe insmode
# modprobe ip_tables
# modprobe ip6_tables

I'm not certain the 4 of them are needed but they correspond to successive error messages I got when trying to start the docker service.

Last edited by bzhb (2026-02-12 08:57:35)