diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go
index 24d2ef4ef3..40fde4a162 100644
--- a/pkg/util/iptables/iptables.go
+++ b/pkg/util/iptables/iptables.go
@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"io/ioutil"
 	"regexp"
 	"strings"
 	"sync"
@@ -332,7 +333,7 @@ func (runner *runner) SaveInto(table Table, buffer *bytes.Buffer) error {
 	// creates a new buffer, redirects stdout and stderr to it and also
 	// calls Run()].
 	cmd.SetStdout(buffer)
-	cmd.SetStderr(buffer)
+	cmd.SetStderr(ioutil.Discard)
 	return cmd.Run()
 }
 
diff --git a/pkg/util/iptables/iptables_test.go b/pkg/util/iptables/iptables_test.go
index e169468062..73240939ec 100644
--- a/pkg/util/iptables/iptables_test.go
+++ b/pkg/util/iptables/iptables_test.go
@@ -932,6 +932,8 @@ func testSaveInto(t *testing.T, protocol Protocol) {
 COMMIT
 # Completed on Thu Jan 19 11:38:09 2017`, iptablesSaveCmd+version)
 
+	stderrOutput := "#STDERR OUTPUT" // SaveInto() should should NOT capture stderr into the buffer
+
 	fcmd := fakeexec.FakeCmd{
 		CombinedOutputScript: []fakeexec.FakeCombinedOutputAction{
 			// iptables version check
@@ -940,7 +942,7 @@ COMMIT
 			func() ([]byte, error) { return []byte(iptablesRestoreCmd + version), nil },
 		},
 		RunScript: []fakeexec.FakeRunAction{
-			func() ([]byte, []byte, error) { return []byte(output), nil, nil },
+			func() ([]byte, []byte, error) { return []byte(output), []byte(stderrOutput), nil },
 			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} },
 		},
 	}
@@ -962,8 +964,8 @@ COMMIT
 		t.Fatalf("%s: Expected success, got %v", protoStr, err)
 	}
 
-	if string(buffer.Bytes()[:len(output)]) != output {
-		t.Errorf("%s: Expected output '%s', got '%v'", protoStr, output, buffer.Bytes())
+	if string(buffer.Bytes()) != output {
+		t.Errorf("%s: Expected output '%s', got '%v'", protoStr, output, string(buffer.Bytes()))
 	}
 
 	if fcmd.CombinedOutputCalls != 2 {