Running docker container : iptables: No chain/target/match by that name
DockerPortIptablesDocker Problem Overview
I'm trying to run a container but I get the following issue :
Error response from daemon: Cannot start container b005715c40ea7d5821b15c44f5b7f902d4b39da7c83468f3e5d7c042e5fe3fbd: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.43 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name.
(exit status 1)
Here is the command I use :
docker run -d -p 10080:80 -v /srv/http/website/data:/srv/http/www/data -v /srv/http/website/logs:/srv/http/www/logs myimage
Isn't opening port 80 on my server enough? Is there something I missed with docker interface? I use iptables with a script like this :
#!/bin/sh
# reset :
iptables -t filter -F
iptables -t filter -X
# Block all :
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Authorize already established connections :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Authorize backloop :
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Authorize ssh :
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# Authorize HTTP :
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Authorize HTTPS :
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Authorize DNS :
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Ping :
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# Authorize FTP :
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
# # Authorize NTP :
# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
# iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# Authorize IRC :
iptables -t filter -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT
# Authorize port 10000 (for Node.JS server) :
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 10000 -j ACCEPT
# Authorize port 631 (Cups server) :
iptables -t filter -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 631 -j ACCEPT
# Authorize port 9418 (git) :
iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT
How could I fix this?
Docker Solutions
Solution 1 - Docker
I faced the same problem in a docker-compose setup.
1. Clear all chains:
sudo iptables -t filter -F
sudo iptables -t filter -X
2. Then restart Docker Service:
systemctl restart docker
Solution 2 - Docker
I believe the issue is within these lines:
iptables -t filter -F
iptables -t filter -X
which indeeds clear all chains. One possible solution is to launch the docker daemon after the iptables setup script. Otherwise you will need to explicitly removes chains you're interested in.
Solution 3 - Docker
Faced the same issue on RHEL 7. Restarting docker service worked for me without a need to flush any iptable
rules.
$ sudo systemctl restart docker
Solution 4 - Docker
I get same problem, after installing firewalld.
I fix it by:
service firewalld stop
service docker restart
Solution 5 - Docker
The error may happen because it is trying to affect the iptables "DOCKER" filter chain, but is not there.
The option --iptables=false prevents docker from changing the iptables configuration.
If you opt for fixing the iptables docker filter chain, here's how to.
You can actually edit the iptables and add it, so that it looks like in the example here https://stackoverflow.com/questions/25917941/docker-how-to-re-create-dockers-additional-iptables-rules
Like this
sudo vi /etc/sysconfig/iptables
Add the ":DOCKER" lines
*nat
:PREROUTING ACCEPT [144:8072]
:INPUT ACCEPT [87:5208]
:OUTPUT ACCEPT [118:8055]
:POSTROUTING ACCEPT [118:8055]
:DOCKER - [0:0]
... your previous rules here ...
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5781:5099614]
:DOCKER - [0:0]
... your previous rules here ...
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
Restart... e.g.
service iptables restart
A good "further read" link where it is well explained
https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
Solution 6 - Docker
In irc.freenode.net#docker you have stated that you are using Arch Linux ARM on a Raspberry Pi.
If you are not running this script as a part of a systemd service, I would strongly suggest moving to that, or making use of the existing iptables services and using their ability to save/restore the tables at the appropriate times. If you choose to move to your own services, make sure that the unit states that it is ordered Before=docker.service
Solution 7 - Docker
Yes I faced the same issue and as mentioned above below commands worked for me
sudo iptables -t filter -F
sudo iptables -t filter -X
systemctl restart docker
Solution 8 - Docker
I can confirm that this problem is caused by iptables or firewalld because before my containers stopped I edited my firewall's rules.
iptables -t filter -X
iptables -t filter -F
Solution 9 - Docker
I also faced the same issue. before running docker start mongodb , I was testing ssh service.
below command can solve this issue for me.
iptables -t filter -F
iptables -t filter -X
systemctl restart docker