After upgrading a machine to iptables 1.2.8-r1 and performing a reboot, the iptables-restore was unable to restore the state that was saved (previous version was 1.2.7a-r4). Returning to 1.2.7a-r4 eliminated the problem. The "saved state" portion with a problem was: # Generated by iptables-save v1.2.7a on Sat Nov 1 04:05:53 2003 *nat :PREROUTING ACCEPT [2292304:210639926] :POSTROUTING ACCEPT [51862:3766918] :OUTPUT ACCEPT [2692927:212833634] [3797506:276236625] -A POSTROUTING -o eth0 -j MASQUERADE [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Sat Nov 1 04:05:53 2003 # Generated by iptables-save v1.2.7a on Sat Nov 1 04:05:53 2003 *mangle :PREROUTING ACCEPT [49293029:23722269666] :INPUT ACCEPT [22125342:7730603840] :FORWARD ACCEPT [27158640:15990660240] :OUTPUT ACCEPT [22424154:9166667578] :POSTROUTING ACCEPT [49564031:25147864932] COMMIT The error it gave, upon attempting to do an iptables-restore, was: invalid line #8
I can't see anything obviously wrong with your rules-save file... I would guess that iptables 1.2.7a creates rules that are somehow slightly incompatable with the 1.2.8 restore parser. The ChangeLog's show a lot of modification to these tools between revisions. Try doing the following to upgrade: 1) Upgrade to iptables 1.2.8-r1 (or 1.2.9, which I am running with no problems) 2) Do '/etc/init.d/iptables save' Now when you reload or restart, iptables-restore will have a version that was saved with the current version of iptables-save, so you shouldn't have any problems. You might also want to use the iptables initscript in bug 27087, which fixes a few more issues and adds reload support. Please let us know if this helps. :) Good luck, -- mcf
I've added a note at the end of the merge that the rules should be saved with the newly installed version before rebooting.