Docker iptables error

This is a bug report This is a feature request I searched existing issues before opening this one Expected behavior Create a docker network or use a docker-compose including a network creation. Act...
  • This is a bug report
  • This is a feature request
  • I searched existing issues before opening this one

Expected behavior

Create a docker network or use a docker-compose including a network creation.

Actual behavior

Error response from daemon: Failed to program FILTER chain: iptables failed: iptables --wait -I FORWARD -o br-ad0b6136ca3d -j DOCKER: iptables v1.8.2 (nf_tables):  RULE_INSERT failed (Invalid argument): rule in chain FORWARD
 (exit status 4)

Steps to reproduce the behavior

docker network create test

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea838
 Built:             Wed Nov 13 07:25:38 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea838
  Built:            Wed Nov 13 07:24:09 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 13
  Running: 6
  Paused: 0
  Stopped: 7
 Images: 41
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.4.182-mainline-rev1
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.62GiB
 Name: DEDIHUGO
 ID: OCER:S7KK:KZVH:WFZT:MSUH:Q5YE:N6GH:UNTQ:CAZ3:73ID:VCC6:K2HO
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.)
Already done : Reinstall docker

I’m trying to run a container but I get the following issue :

Error response from daemon: Cannot start container b005715c40ea7d5821b15c44f5b7f902d4b39da7c83468f3e5d7c042e5fe3fbd: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.43 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name.
 (exit status 1)

Here is the command I use :

docker run -d -p 10080:80 -v /srv/http/website/data:/srv/http/www/data -v /srv/http/website/logs:/srv/http/www/logs myimage

Isn’t opening port 80 on my server enough? Is there something I missed with docker interface?
I use iptables with a script like this :

#!/bin/sh

# reset :
iptables -t filter -F
iptables -t filter -X

# Block all :
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# Authorize already established connections :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Authorize backloop :
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# Authorize ssh :
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Authorize HTTP :
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT

# Authorize HTTPS :
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Authorize DNS :
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT

# Ping :
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# Authorize FTP :
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT

# # Authorize NTP :
# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
# iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# Authorize IRC :
iptables -t filter -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT

# Authorize port 10000 (for Node.JS server) :
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 10000 -j ACCEPT

# Authorize port 631 (Cups server) :
iptables -t filter -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 631 -j ACCEPT

# Authorize port 9418 (git) :
iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT

How could I fix this?

StackzOfZtuff's user avatar

asked Jul 28, 2015 at 4:03

vmonteco's user avatar

1

I faced the same problem in a docker-compose setup.

1. Clear all chains:

sudo iptables -t filter -F
sudo iptables -t filter -X

2. Then restart Docker Service:

systemctl restart docker

answered Jun 26, 2018 at 15:08

Manuel Schmitzberger's user avatar

2

Faced the same issue on RHEL 7. Restarting docker service worked for me without a need to flush any iptable rules.

$ sudo systemctl restart docker

answered Jun 12, 2019 at 10:22

Junaid's user avatar

JunaidJunaid

3,1491 gold badge20 silver badges23 bronze badges

2

I believe the issue is within these lines:

iptables -t filter -F

iptables -t filter -X

which indeeds clear all chains. One possible solution is to launch the docker daemon after the iptables setup script. Otherwise you will need to explicitly removes chains you’re interested in.

Bernard Vander Beken's user avatar

answered Jul 28, 2015 at 4:14

Yoanis Gil's user avatar

Yoanis GilYoanis Gil

2,9432 gold badges15 silver badges22 bronze badges

2

I get same problem, after installing firewalld.

I fix it by:

service firewalld stop
service docker restart

Bernard Vander Beken's user avatar

answered May 7, 2020 at 7:45

eagle's user avatar

eagleeagle

2202 silver badges2 bronze badges

2

The error may happen because it is trying to affect the iptables «DOCKER» filter chain, but is not there.

The option —iptables=false prevents docker from changing the iptables configuration.

(Source: https://docs.docker.com/v17.09/engine/userguide/networking/default_network/container-communication/#communicating-to-the-outside-world)

If you opt for fixing the iptables docker filter chain, here’s how to.

You can actually edit the iptables and add it, so that it looks like in the example here Docker: How to re-create dockers additional iptables rules?

Like this

sudo vi /etc/sysconfig/iptables

Add the «:DOCKER» lines

*nat
:PREROUTING ACCEPT [144:8072]
:INPUT ACCEPT [87:5208]
:OUTPUT ACCEPT [118:8055]
:POSTROUTING ACCEPT [118:8055]
:DOCKER - [0:0]
... your previous rules here ...
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5781:5099614]
:DOCKER - [0:0]
... your previous rules here ...
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT

Restart… e.g.

service iptables restart

A good «further read» link where it is well explained

https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45

answered Sep 26, 2019 at 18:02

Jose Manuel Gomez Alvarez's user avatar

In irc.freenode.net#docker you have stated that you are using Arch Linux ARM on a Raspberry Pi.

If you are not running this script as a part of a systemd service, I would strongly suggest moving to that, or making use of the existing iptables services and using their ability to save/restore the tables at the appropriate times. If you choose to move to your own services, make sure that the unit states that it is ordered Before=docker.service

answered Jul 28, 2015 at 12:06

WarheadsSE's user avatar

Yes I faced the same issue and as mentioned above below commands worked for me

sudo iptables -t filter -F


sudo iptables -t filter -X


systemctl restart docker

buddemat's user avatar

buddemat

3,89612 gold badges23 silver badges47 bronze badges

answered Aug 23, 2021 at 10:10

nirajatwork's user avatar

I can confirm that this problem is caused by iptables or firewalld because before my containers stopped I edited my firewall’s rules.

iptables -t filter -X
iptables -t filter -F

answered Sep 10, 2021 at 3:00

hyf3513's user avatar

I also faced the same issue. before running docker start mongodb , I was testing ssh service.

below command can solve this issue for me.

iptables -t filter -F

iptables -t filter -X

systemctl restart docker

cursorrux's user avatar

cursorrux

1,3764 gold badges9 silver badges20 bronze badges

answered Apr 4, 2022 at 4:13

piam's user avatar

Iptables: No chain/target/match by that name is an error while running a Docker container.

Confused about how running a Docker caused an iptables error?

This is because Docker works in correlation with iptables.

At Bobcares, we get requests to fix docker iptables errors, as a part of our Server Management Services.

Today, let’s have a look at how our Support Engineers fix this error.

Docker and iptables

Docker is one of the popular container software. It allows both Developers and Sysadmins to develop, setup, and run applications. Whereas, iptables is the built-in firewall for Linux based systems.

So how does a Docker relates to the Linux firewall iptables?

Usually, on Linux, Docker modifies or creates iptables rules. And the purpose is to provide network isolation. Iptables add these rules to the DOCKER chain.

While running the Docker, these rules come into action. Iptables allow all the rules predefined by Docker. This works fine until both Docker and firewall work in correlation. Let’s now see how this leads to an error.

Docker error iptables no chain/target/match by that name

Many of our customers approach us with Docker iptables errors. But, this error shows up when the user is running a Docker.

While users execute the command to run the Docker, it checks for the firewall status. When the firewall is down, it shows up the error. A Docker iptables error in laravel-nginx server appears as,

Iiptables no chain/target/match by that name docker error in laravel-nginx server.

This is the complete error message. Here the message says that the driver has difficulty in connecting to the endpoint. Let’s see how our Support Engineers fix this error.

Fix for Docker error iptables no chain/target/match

This error indicates a missing firewall chain while the Docker is running.

That is, sometimes users delete the DOCKER chain from iptables. Otherwise, users restart the firewall service while the Docker is running. Hence, removing the iptables rules created by Docker.

In both cases, Docker loses its correlation with iptables. And results in Docker error.

Our customers often approach us with this error. Firstly, we check if the firewall service status using

systemctl status iptables.service

If the service is down we restart the service.

Then, we check the iptables rules using the command

iptables -L

The docker firewall rules were missing thus it shows the error.

To resolve the error our Support Engineers restart the docker service. For instance, to restart the docker we use the command,

service docker restart

While restarting the Docker, it automatically creates the firewall rules. And we ensure to enable the firewall before restarting the docker.

Similarly, executing rules without specifying table-name can result in the same error message.

For example, consider the command,

iptables -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

Here the PREROUTING chain belongs to the NAT table. As the user hasn’t specified the name, it considers it as default table. And this results in an error.

In this case, our Support Team asks the customers to execute the command by specifying table-name.

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

Hence this fixes the error.

[Need help in fixing Docker iptables error? – We’ll help you.]

Conclusion

In short, iptables no chain/target/match by that name Docker error occur due to non-correlation. In Linux Docker creates iptables rules. The error shows up if the firewall is not in correlation with the Docker. Today, we saw how our Support Engineers fix this error.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

Добрый день!
Сразу скажу, что админ я не очень хороший (и докером пользуюсь 2-ой час), и скорее всего жестко туплю, но Docker ругается на Iptable и не хочет прокидывать 8080 порт.

Система: CentOS 7
Kernel:

Linux ****** 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

docker -v:

Docker version 1.9.1, build a34a1d5

docker info:

Containers: 12
Images: 14
Server Version: 1.9.1
Storage Driver: devicemapper
Pool Name: docker-253:1-131382-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem:
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 2.454 GB
Data Space Total: 107.4 GB
Data Space Available: 17.51 GB
Metadata Space Used: 3.293 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.144 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2015-10-14)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.10.0-327.4.5.el7.x86_64
Operating System: CentOS Linux 7 (Core)
CPUs: 1
Total Memory: 993.1 MiB
Name: *****
ID: *****
WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

iptables:

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT

-A INPUT -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 8080 -j ACCEPT

-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT

Запускаю я это все:
docker run -d -p 8080:80 node_test_app node ./

Ответ:

WARNING: IPv4 forwarding is disabled. Networking will not work.
*****
Error response from daemon: Cannot start container *****: failed to create endpoint high_mcnulty on network bridge: COMMAND_FAILED: '/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination ****.***.****.****:80 ! -i docker0' failed: iptables: No chain/target/match by that name.

When I try to publish container’s ports to the host, docker fails to add iptables rules:

$ sudo docker run --rm -p 8080:80 nginx
docker: Error response from daemon: driver failed programming external 
connectivity on endpoint:

iptables failed:
  iptables --wait -t nat -A DOCKER -p tcp -d 0/0
           --dport 8080 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0

 iptables: No chain/target/match by that name. (exit status 1)).

What confuses me is that the DOCKER chain seems to exist:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

… and also here:

$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  172.18.0.0/16        anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Maybe relevant:ip a shows that docker0 is down:

$ ip a
...
74: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:01:52:de:7d brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

I tried to stop docker, remove the broken docker0 device, and restart docker again. Same error:

sudo systemctl stop docker.service
sudo ip link del docker0
sudo systemctl start docker.service

ip a still shows that docker0 is down. Running sudo docker run --rm -p 8080:80 nginx
also runs in the identical error message as above.


System information:

$ docker --version
Docker version 18.05.0-ce, build f150324782

$ uname -a
Linux amd8-arch 4.16.7-1-ARCH #1 SMP PREEMPT Wed May 2 21:12:36 UTC 2018 x86_64 GNU/Linux

I am using Arch Linux.

After recently running pacman -Syu, then installing some unrelated packages, on a computer running Arch Linux, exposing ports of a new container using --publish produces a strange error.

Here’s an example of the error produced:

docker: Error response from daemon: driver failed programming external connectivity on endpoint bsp-devkit (7a47f30eaa0e104d6b9a7b75003a768e734182e20e057e51d33cca23da7dbf02):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 10809 -j DNAT --to-destination 172.17.0.2:10809 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
 (exit status 2)).

Here’s a Docker run command that’s failing in this way:

docker run 
 --publish=2223:22 
 --publish=8000:8000 
 --publish=69:69/udp --publish=10809:10809 
 --detach=true --privileged 
 --hostname=bsp-devkit --name=bsp-devkit 
 -v /sys/fs/cgroup:/sys/fs/cgroup:ro 
 -v $MIRRORDIR:/home/devel/mirror 
 -it $IMAGE

This is very weird to me, because it seems like a regression caused by a newer version of iptables, but the iptables version has «legacy» written after it (so why would that version be updated with a breaking change?) and I also haven’t found anyone else online asking about this specific error so I must have messed something up really badly.

The packages I installed included the hex editor Bless, but I don’t remember if I installed anything else.

Additional Notes
— I have never configured a firewall on this system
— This computer is on a VPN, but this hasn’t been an issue before

Updates:

  • Updating Docker does not fix the issue
  • Downgrading the iptables package to v1.8.0 from the pacman cache doesn’t fix it…
  • iptables daemon doesn’t seem to be running; logs say /etc/iptables/iptables.rules is missing
  • The problem persists after creating iptables.rules and starting the daemon

I am trying to configure iptables on my Ubuntu 12.04 LTS server to forward port 443 to 8443.

But when I run this command:

sudo iptables -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

I get the following error:

iptables: No chain/target/match by that name.

My iptables current configuration:

$ sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
DROP       tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

What am I missing or doing wrong?

heemayl's user avatar

heemayl

88.8k19 gold badges195 silver badges262 bronze badges

asked Jun 30, 2016 at 18:39

Roy Hinkley's user avatar

Because PREROUTING chain belongs to the NAT table, not the FILTER table. If you do not mention any table explicitly by -t option, then FILTER is assumed.

So, you need to mention the table type with -t nat:

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

Note that, MANGLE and RAW tables also have PREROUTING chain but as you are redirecting ports only, you are presumably looking for the NAT table.

answered Jun 30, 2016 at 18:46

heemayl's user avatar

heemaylheemayl

88.8k19 gold badges195 silver badges262 bronze badges

4

PREROUTING chain only available for nat, mangle and raw tables.
iptables assumes filter table, so you must specify one of these, eg. iptables -t nat ...

answered Jun 30, 2016 at 18:47

Ven3k's user avatar

Ven3kVen3k

713 bronze badges

I get similar error when I run a docker command

docker run -d -p 8084:8080 knockdata/zeppelin-highcharts


d9c5d34f500d621585470b0e70b915395fcb6b3437859e0f610dbb58d51faf25
docker: Error response from daemon: driver failed programming external connectivity on endpoint elegant_jang  
(7ca0f5ad689f5443ce7533f66b4a86c34d2dbd9d076bac4812288dd3f6a76698):  
iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8084 -j DNAT --to-destination 172.17.0.2:8080 
! -i docker0: iptables: No chain/target/match by that name.
(exit status 1).

I was able to fix it by reinstall docker-engine

apt-get remove docker-engine
apt-get install docker-engine

answered Sep 29, 2016 at 7:22

Rockie Yang's user avatar

You can install (Config Server Security & Firewall) and use the following settings.

nano /etc/csf/csf.conf
SYNFLOOD = "" => SYNFLOOD = "1"
CONNLIMIT = "" => CONNLIMIT = "80;75,443;75,21;50”
PORTFLOOD = "" => PORTFLOOD = "80;tcp;5;250"
SYSLOG = “0” => SYSLOG = "1"
DOCKER = “0” => DOCKER = "1"

nano /etc/csf/csfpost.sh

#!/bin/sh

echo "[DOCKER] Setting up FW rules."

iptables -N DOCKER

iptables -t nat -N DOCKER

iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER

# Masquerade outbound connections from containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

# Accept established connections to the docker containers
iptables -t filter -N DOCKER
iptables -t filter -A FORWARD -o docker0 -j DOCKER
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j 
ACCEPT

# Allow docker containers to communicate with themselves & outside world
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

echo "[DOCKER] Done."

Note: This config also prevents you from basic DDOS attack.

answered Dec 7, 2018 at 3:40

Akinjiola Toni's user avatar

Понравилась статья? Поделить с друзьями:
  • Docker initdb error directory var lib postgresql data exists but is not empty
  • Docker gpg error
  • Docker exec user process caused exec format error
  • Docker events init error
  • Docker errors dockerexception error while fetching server api version