[root@qa0319 /root]# iptables -L /lib/modules/2.4.2-0.1.28/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters /lib/modules/2.4.2-0.1.28/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-0.1.28/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.2-0.1.28/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Removing the ipchains module (rmmod ipchains) fixes this.
So if you want to use the new firewall rules, just remove the old compatibility? Doesn't sound like a bug to me.
Besides that being very non-obvious, both supporting initscripts are enabled by default: [root@qa0319 /root]# chkconfig --list|grep ^ip iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipchains 0:off 1:off 2:on 3:on 4:on 5:on 6:off
This sounds like a userland configuration policy; assigning to ipchains.
I agree, however since the config tools favor ipchains, I think iptables should be changed. Doesn't make sense to start both at init time. Actually it makes more sense to have one script called "ipfilter" or "firewall" and have it deal with the logic of wether to start ipchains or iptables, but that is not likely to happen anytime soon. Reassigning to iptables.
This is kinda moot point at this point IMO as the default iptables ruleset is empty. People do start to wonder if they have both. I suggest adding a failure notice in iptables (and perhaps also in ipchains) which checks whether either 1) ipchains module is loaded 2) /etc/sysconfig/ipchains or equiv is non-empty .. or some other bright ideas. The _default_ behaviour, until users start mixing the two is ok.
Warning added in 1.2.2-3