Skip to content

No DOCKER chain in iptables #1871

Closed
Closed
@clemtibs

Description

@clemtibs

I've been doing this tutorial and had trouble at the step:

DJANGO_APP=$(docker run -d -i -t -p 8000:8000 ubuntu /bin/bash)
WARNING: Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
WARNING: IPv4 forwarding is disabled.
2013/09/12 12:52:02 Error: Error starting container 037aac8ca3ab: iptables failed: iptables -t nat -A DOCKER -p tcp --dport 8000 ! -i docker0 -j DNAT --to-destination 172.17.0.3:8000

So trying it manually gave me this:

sudo iptables -t nat -A DOCKER -p tcp --dport 8000 ! -i docker0 -j DNAT --to-destination 172.17.0.3:8000
iptables: No chain/target/match by that name.

This is verified by checking (note: I deleted the rules, just kept the chain names):

sudo iptables -L -n --line-numbers
Chain INPUT (policy DROP)
...

Chain FORWARD (policy DROP)
...

Chain OUTPUT (policy DROP)
...

Chain INBOUND (4 references)
...

Chain LOG_FILTER (5 references)
...

Chain LSI (2 references)
...

Chain LSO (0 references)
...

Chain OUTBOUND (3 references)
...

Any ideas? I did have an issues just before this where I couldn't access the internet at all from within containers, but "sharing" the internet locally with device docker0 using firestarter (gufw just doesn't work on my ubuntu 12.04) fixed it.

Activity

crosbymichael

crosbymichael commented on Oct 4, 2013

@crosbymichael
Contributor

@Briguy2k

Can you look for the DOCKER chain using sudo iptables -L -n -t nat ??

clemtibs

clemtibs commented on Oct 4, 2013

@clemtibs
Author

@crosbymichael

I didn't see anything helpful there:

$ sudo iptables -L -n -t nat 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
matteosister

matteosister commented on Nov 9, 2013

@matteosister

same problem here....any solution?

crosbymichael

crosbymichael commented on Nov 9, 2013

@crosbymichael
Contributor

@brianclements @matteosister

I'm guessing that you have the docker0 bridge so you can try to create the chain manually.

iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
matteosister

matteosister commented on Nov 10, 2013

@matteosister

@crosbymichael I've got the docker0 bridge, but the commands you gave didn't solve the issue....
Is there a way to restart from scratch?

crosbymichael

crosbymichael commented on Nov 10, 2013

@crosbymichael
Contributor

You can remove the docker0 bridge and have docker recreate the network setup.

Michael Crosby

On Nov 10, 2013, at 10:00 AM, Matteo Giachino notifications@github.com wrote:

@crosbymichael I've got the docker0 bridge, but the commands you gave didn't solve the issue....
Is there a way to restart from scratch?


Reply to this email directly or view it on GitHub.

clemtibs

clemtibs commented on Nov 14, 2013

@clemtibs
Author

@crosbymichael
Your suggestions worked for me and I was finally able to complete the tutorial in the original post exactly as directed, even down to the working django web server. However when I restarted, all the iptables changes were undone. Any tips on where I should start looking to make those permanent?

matteosister

matteosister commented on Nov 18, 2013

@matteosister

@crosbymichael for me nothing worked. Even after deleting the bridge still gives me the same error...

crosbymichael

crosbymichael commented on Nov 30, 2013

@crosbymichael
Contributor

@matteosister What host OS are you running on?

shykes

shykes commented on Jan 6, 2014

@shykes
Contributor

Tagging as /system/networking

jpoimboe

jpoimboe commented on Jan 24, 2014

@jpoimboe
Contributor

@brianclements @matteosister do you still see the issue with the latest version of docker?

clemtibs

clemtibs commented on Jan 24, 2014

@clemtibs
Author

Thanks for following up @jpoimboe, I have since installed docker on many other machines and had 0 occurrence of this issue on those machines. And I'm pretty sure that I've had other miscellaneous firewall issues on the machine that this issue was occurring on, so I'm going to go ahead and take myself out of this equation and say that it's some issue with my firewall here on this machine and not docker.

Curious though myself @matteosister, what is your host system that you have the issue on and is it a fresh install or a system upgrade? My particular system has been under probably 3 years of Ubuntu upgrades and I think my iptables has too many different versions and types of firewalls all grabbing at it and undoing each others changes.

eliasp

eliasp commented on Jan 24, 2014

@eliasp
Contributor

@brianclements It still fails here:

Jan 25 00:12:21 moria docker[5337]: Unable to allow incoming packets: iptables failed: iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT: iptables: No chain/target/match by that name.
  • Distribution: Gentoo
  • Kernel: 3.13.0
  • Docker: 0.7.6
  • Go: 1.2

Running iptables -t nat -L shows:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16       !172.17.0.0/16  

There's no other firewall framework/daemon (Shorewall, firewalld, ufw, …) enabled/active at the time of testing this, so there's no chance this is a conflict with any of them.

tianon

tianon commented on Jan 24, 2014

@tianon
Member

@eliasp I wonder if you just found another kernel flag our ebuild is missing. Do you have CONFIG_NETFILTER_XT_MATCH_CONNTRACK set in your kernel config, by any chance? :)

eliasp

eliasp commented on Jan 25, 2014

@eliasp
Contributor

@tianon That's the culprit:

# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

Added it and it works now! So this should be also added to the ebuild.

33 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @shykes@eliasp@davclark@stieg@tianon

        Issue actions

          No DOCKER chain in iptables · Issue #1871 · moby/moby