can't initialize iptables table?

[dvinik]

ERROR failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)

Perhaps iptables or your kernel needs to be upgraded.: exit status 3

[github-actions[bot]]

Thanks for creating your first issue :+1: Feel free to use Slack if you just need some quick help or want to chat

[qdm12]

I would need more context, can you share your entire log? Are you forcing the container to run without root perhaps?

[qdm12]

I'll close the issue for now, feel free to comment here with more information and I'll reopen the issue. Thanks!

[winklevos]

I'm seeing this error too, here is the complete log. Using docker compose, on a boot2docker image in virtbox. This seems to point at missing modules https://forums.gentoo.org/viewtopic-t-1095354-start-0.html

2020-05-03T09:04:11.255Z    INFO    Unbound version: 1.9.6
2020-05-03T09:04:11.256Z    INFO    IPtables version: v1.8.3
2020-05-03T09:04:11.276Z    INFO    TinyProxy version: 1.10.0
2020-05-03T09:04:11.279Z    INFO    ShadowSocks version: 3.3.4
2020-05-03T09:04:11.279Z    INFO    Settings summary below:
OpenVPN settings:
|--Network protocol: udp
|--Verbosity level: 1
|--Run as root: yes
|--Target IP address: <nil>
|--Custom cipher: 
|--Custom auth algorithm: 
PIA settings:
 |--User: [redacted]
 |--Password: [redacted]
 |--Region: xx
 |--Encryption: strong
 |--Port forwarding: off
System settings:
|--User ID: 1000
|--Group ID: 1000
|--Timezone: x/x
|--IP Status filepath: /ip
DNS over TLS settings:
 |--DNS over TLS provider:
  |--cloudflare
 |--Caching: enabled
 |--Block malicious: enabled
 |--Block surveillance: disabled
 |--Block ads: disabled
 |--Allowed hostnames:
  |--
 |--Private addresses:
  |--127.0.0.1/8
  |--10.0.0.0/8
  |--172.16.0.0/12
  |--192.168.0.0/16
  |--169.254.0.0/16

  |--::1/128
  |--fc00::/7
  |--fe80::/10
  |--::ffff:0:0/96
 |--Verbosity level: 1/5
 |--Verbosity details level: 0/4
 |--Validation log level: 0/2
 |--IPv6 resolution: disabled
Firewall settings:
 |--Allowed subnets: 10.0.0.0/24
TinyProxy settings: disabled
ShadowSocks settings: disabled
2020-05-03T09:04:11.280Z    INFO    openvpn configurator: checking for device /dev/net/tun
2020-05-03T09:04:11.280Z    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2020-05-03T09:04:11.280Z    INFO    openvpn configurator: creating /dev/net/tun
2020-05-03T09:04:11.281Z    INFO    openvpn configurator: writing auth file /etc/openvpn/auth.conf
2020-05-03T09:04:11.281Z    INFO    routing: detecting default network route
2020-05-03T09:04:11.281Z    INFO    routing: default route found: interface eth2, gateway 172.18.0.1, subnet 10.20.0.0/24
2020-05-03T09:04:11.281Z    INFO    firewall configurator: accepting all traffic
2020-05-03T09:04:11.283Z    ERROR   failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.: exit status 3```

[qdm12]

Did you figure out which modules were missing? I'll add that to the readme, thanks for reporting it.

[JaneX8]

I unfortunately have the exact same issue when running using the instructions from README.md.

Running version latest built on 2020-05-02T17:09:01Z (commit 754bab9)
...
2020-05-03T13:01:07.857Z    INFO    Unbound version: 1.9.6
2020-05-03T13:01:07.862Z    INFO    IPtables version: v1.8.3
2020-05-03T13:01:07.947Z    INFO    TinyProxy version: 1.10.0
2020-05-03T13:01:07.954Z    INFO    ShadowSocks version: 3.3.4
2020-05-03T13:01:07.959Z    INFO    OpenVPN version: 2.4.8
...
2020-05-03T13:01:07.963Z    INFO    openvpn configurator: checking for device /dev/net/tun
2020-05-03T13:01:07.964Z    WARN    TUN device is not available: open /dev/net/tun: no such file or directory
2020-05-03T13:01:07.964Z    INFO    openvpn configurator: creating /dev/net/tun
2020-05-03T13:01:07.965Z    INFO    openvpn configurator: /etc/openvpn/auth.conf already exists
2020-05-03T13:01:07.965Z    INFO    routing: detecting default network route
2020-05-03T13:01:07.966Z    INFO    routing: default route found: interface eth0, gateway 172.28.0.1, subnet 172.28.0.0/16
2020-05-03T13:01:07.967Z    INFO    firewall configurator: accepting all traffic
2020-05-03T13:01:07.973Z    ERROR   failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.: exit status 3

[qdm12]

Are you guys sure you run the container with NET_ADMIN capabilities? Because it seems very similar to this issue.

[dvinik]

Hi,

Yes I ran it with net_admin.

Best regards,

David

[JaneX8]

Ah, I did not and running it with NET_ADMIN seemed to fix my issue indeed. Thanks @qdm12.

[qdm12]

Cool, how about you @winklevos? Just trying to narrow down the issue.

@dvinik what's your host OS, and kernel (use uname -a)? And your host iptables iptables version (from the top of my head)?

[dvinik]

Linux XNAS 4.14.24-qnap #1 SMP Fri Apr 10 05:12:19 CST 2020 x86_64 GNU/Linux

iptables v1.4.21

[qdm12]

On your host, can you try lsmod | grep ip and post back the results? I just tried on a Synology nas I had and it works, I can compare the kernel ip related modules you have with the ones on my nas.

[winklevos]

I am running with NET_ADMIN. host: Linux default 4.14.154-boot2docker #1 SMP Thu Nov 14 19:19:08 UTC 2019 x86_64 GNU/Linux iptables: iptables v1.8.2 (legacy) lsmod:

ip_vs_rr               16384 19
iptable_mangle         16384  3
xt_ipvs                16384  3
ip_vs                 118784 22 ip_vs_rr,xt_ipvs
ip6_udp_tunnel         16384  1 vxlan
ipt_MASQUERADE         16384  5
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
iptable_filter         16384 10
iptable_nat            16384 14
nf_conntrack_ipv4      16384 120
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 24576  4 nf_nat_redirect,xt_nat,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack           81920 11 xt_state,ip_vs,xt_REDIRECT,xt_nat,xt_conntrack,ipt_MASQUERADE,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat

[JaneX8]

@winklevos can you also share the exact docker command or docker-compose you're using, without credentials?

[winklevos]

@ElleshaHackett Here is the compose

version: "3.7"
services:
  pia:
    image: qmcgaw/private-internet-access
    container_name: pia
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    init: true
    ports:
      - 8000:8000/tcp
    environment:
      - VPNSP=private internet access
      - USER=<REDACTED>
      - PROTOCOL=udp
      - PASSWORD=<REDACTED>
      - REGION=AU Sydney
      - PIA_ENCRYPTION=strong
      - OPENVPN_VERBOSITY=1
      - OPENVPN_ROOT=yes
      - TZ=Australia/Sydney
      - PORT_FORWARDING=off
      - DOT=off
      - DOT_PROVIDERS=cloudflare
      - DOT_IPV6=off
      - DOT_VERBOSITY=1
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=off
      - BLOCK_ADS=off
      - EXTRA_SUBNETS=10.0.0.0/24
    restart: always

[qdm12]

@winklevos your docker-compose.yml seems fine. Maybe you could try it with privileged: true just in case it solves it.

Regarding your kernel modules, on my side I have:

• Synology NAS iptables v1.6.0

xt_ipvs                 2202  0
ip_vs_rr                1447  0
ip_vs                 127371  3 ip_vs_rr,xt_ipvs
iptable_mangle          1656  0
nf_conntrack_ipv6       6563  0
nf_defrag_ipv6         23062  1 nf_conntrack_ipv6
ip6table_filter         1532  0
ip6_tables             14730  1 ip6table_filter
ipt_MASQUERADE          1213  6
nf_nat_masquerade_ipv4     1929  1 ipt_MASQUERADE
iptable_nat             1959  7
nf_nat_ipv4             4903  1 iptable_nat
nf_nat                 10925  4 nf_nat_redirect,nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4
xt_iprange              1648  0
xt_multiport            1830  0
nf_conntrack_ipv4      11616  3
nf_defrag_ipv4          1475  1 nf_conntrack_ipv4
nf_conntrack           62480  8 ip_vs,nf_nat,xt_state,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_conntrack_ipv6
iptable_filter          1592  1
ip_tables              14092  3 iptable_filter,iptable_mangle,iptable_nat
x_tables               16302  19 ip6table_filter,xt_ipvs,xt_iprange,xt_mark,xt_recent,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_limit,xt_state,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,xt_REDIRECT,iptable_mangle,ip6_tables,xt_addrtype
ip6_udp_tunnel          1903  1 vxlan
ip_tunnel              13200  1 sit
ipv6                  336006  197 sit,ip_vs,nf_defrag_ipv6,nf_conntrack_ipv6

• Arch Linux host: iptables v1.8.4 (legacy)

ip6_udp_tunnel         16384  1 wireguard
iptable_filter         16384  5
iptable_nat            16384  23
nf_nat                 49152  4 xt_nat,xt_NETMAP,iptable_nat,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
ip_tables              36864  2 iptable_filter,iptable_nat
x_tables               49152  8 xt_conntrack,iptable_filter,xt_tcpudp,xt_addrtype,xt_nat,xt_NETMAP,ip_tables,xt_MASQUERADE

• Alpine Linux host: iptables v1.8.3 (legacy)

ip6_udp_tunnel         16384  1 wireguard
ipt_MASQUERADE         16384  3
iptable_nat            16384  1
nf_nat_ipv4            16384  2 ipt_MASQUERADE,iptable_nat
iptable_filter         16384  1
ip_tables              24576  2 iptable_filter,iptable_nat
x_tables               40960  5 xt_conntrack,iptable_filter,ipt_MASQUERADE,xt_addrtype,ip_tables
nf_nat                 36864  1 nf_nat_ipv4
nf_conntrack          126976  5 xt_conntrack,nf_nat,ipt_MASQUERADE,nf_nat_ipv4,nf_conntrack_netlink
nf_defrag_ipv6         16384  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
ipv6                  425984  48 bridge,wireguard

Let me re-read, I'll edit the comment with a conclusion 😉

So your iptables host version should be fine, as my old 1.6.x works.

[qdm12]

Actually before digging into these ugly kernel modules, can you guys @winklevos and @dvinik play around with

docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
/ # apk --update add iptables
/ # iptables -P INPUT ACCEPT

To see if it works? That's the command failing in the pia container, maybe it's another reason than your host OS kernel.

If it still doesn't work, I can change the iptables commands to run older fashion rules. This -P uses the slightly newer chain table policy, basically instructing the input table to have an accept policy by default. You can imitate that with a bunch of simpler iptables rules which might work on your system (and possibly other people having the problem too)

[winklevos]

privilged=true didn't do anything

was this meant to output? didn't throw any error

docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
/ # apk --update add iptables
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.4-r0)
(2/3) Installing libnftnl-libs (1.1.5-r0)
(3/3) Installing iptables (1.8.3-r2)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 17 packages
/ # iptables -P INPUT ACCEPT
/ #

(edit: removed unneeded 2nd part)

[qdm12]

That's odd it's working/not complaining.

Just to be sure, try:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
apk --update add iptables
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit

If it works, it should output exit code: 0.

If it works, try (just to be paranoid sure):

docker run -it --rm --cap-add=NET_ADMIN --entrypoint=/bin/sh qmcgaw/private-internet-access
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit

And let me know if it outputs exit code: 0 as well

[winklevos]

@qdm12

Both seemed to work

apk --update add iptables
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit/ # apk --update add iptables
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.4-r0)
(2/3) Installing libnftnl-libs (1.1.5-r0)
(3/3) Installing iptables (1.8.3-r2)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 17 packages
/ # iptables -P INPUT ACCEPT
/ # echo "exit code: $?"
exit code: 0

Unable to find image 'qmcgaw/private-internet-access:latest' locally
latest: Pulling from qmcgaw/private-internet-access
cbdbe7a5bc2a: Already exists                                                                                            14da45486dac: Pull complete                                                                                             55581d923200: Pull complete                                                                                             Digest: sha256:cf7f1736aa2496f53c96bb90ae29e81d13eeb7e2f024612629c686e73300b9b5
Status: Downloaded newer image for qmcgaw/private-internet-access:latest
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit/ # iptables -P INPUT ACCEPT
/ # echo "exit code: $?"
exit code: 0

I was using Portainer for compose creation, I bet that is the issue

[qdm12]

Please tell me it's Portainer because I'm running low on ideas :laughing:

I think Portainer doesn't support docker-compose 3 which might be needed for NET_ADMIN, although I believe other people are running it with Portainer? Maybe @Frepke do/did you run it with Portainer?

[frepke]

Please tell me it's Portainer because I'm running low on ideas 😆

I think Portainer doesn't support docker-compose 3 which might be needed for NET_ADMIN, although I believe other people are running it with Portainer? Maybe @Frepke do/did you run it with Portainer?

No sorry, I'm running docker-compose.yml -d from the terminal.

But @winklevos wrote in an earlier post:

I'm seeing this error too, here is the complete log. Using docker compose, on a boot2docker image in virtbox.

[qdm12]

@winklevos can you try with the terminal just to make sure it works? Let me know if you need help.

I think @HerbM3 is running it with Portainer though.

[frepke]

@winklevos can you try with the terminal just to make sure it works? Let me know if you need help.

I think @HerbM3 is running it with Portainer though.

Quentin,

Did you see the edit in my previous post about @winklevos earlier post?

[winklevos]

If I docker-compose up the exact same compose it works outside of portainer, unable to get traffic flow but it's not failing to start

[frepke]

If I docker-compose up the exact same compose it works outside of portainer, unable to get traffic flow but it's not failing to start

Hi winklevos,

How do you check the traffic flow?

[winklevos]

docker run --rm --network=container:pia tianon/speedtest --accept-license

should work

[frepke]

docker run --rm --network=container:pia tianon/speedtest --accept-license

should work

Yes, works for me.

[winklevos]

huh, server AU Sydney results in a TLS error for me.. I wonder if that caused it - EDIT nope

[qdm12]

I'm glad it worked! You can use that wget ipinfo command in the readme to check it works as well.

So Portainer doesn't work it seems. It must be because of the NET_ADMIN option not being used correctly. Just out of curiosity what version of Portainer do you use? Maybe it would work with a docker run command in Portainer without docker-compose?

[frepke]

huh, server AU Sydney results in a TLS error for me.. I wonder if that caused it - EDIT nope

I did a bit of testing with the compose-file posted 9 days ago. Didn't work for me neither. But @winklevos could you try that file with REGION=netherlands and DOT=on because that worked for me with the above compose-file.

DOT=off is working as well.

[qdm12]

You mean it doesn't work for certain regions? Maybe the Ip addresses changed. Please let me know which and I'll re-check their IPs.

[frepke]

I checked my own compose file with REGION=AU Sydney, but isn't working for me neither.

[winklevos]

Au Melbourne works so I suspect the addresses have changed @qdm12

I'm moving from my current docker setup as containers crash all the time so I'll probably just manually do composer without protainer anyway. I think the issue here was the portainer cannot create / run the new container as root so it cannot get network permissions. There seems to be a lot of chat on portainers side as they need to redo a bunch of work to get to v3.

[qdm12]

I'll check for AU sydney, please comment on #159 if you get the bug again for any region with some logs of the error if possible.

@dvinik is it still not working for you? Are you using Portainer as well?

I'll add information to the FAQ and close the issue then.

[qdm12]

Added Portainer error to wiki thanks to all of you 👍 Also @winklevos I fixed #159 : re-resolved all ipv4 addresses for pia and windscribe so it should work 'better', for now at least!