76

I'm trying to run a container but I get the following issue :

Error response from daemon: Cannot start container b005715c40ea7d5821b15c44f5b7f902d4b39da7c83468f3e5d7c042e5fe3fbd: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.43 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name.
 (exit status 1)

Here is the command I use :

docker run -d -p 10080:80 -v /srv/http/website/data:/srv/http/www/data -v /srv/http/website/logs:/srv/http/www/logs myimage

Isn't opening port 80 on my server enough? Is there something I missed with docker interface? I use iptables with a script like this :

#!/bin/sh

# reset :
iptables -t filter -F
iptables -t filter -X

# Block all :
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# Authorize already established connections :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Authorize backloop :
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# Authorize ssh :
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Authorize HTTP :
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT

# Authorize HTTPS :
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Authorize DNS :
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT

# Ping :
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# Authorize FTP :
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT

# # Authorize NTP :
# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
# iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# Authorize IRC :
iptables -t filter -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6667 -j ACCEPT

# Authorize port 10000 (for Node.JS server) :
iptables -t filter -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 10000 -j ACCEPT

# Authorize port 631 (Cups server) :
iptables -t filter -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 631 -j ACCEPT

# Authorize port 9418 (git) :
iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT

How could I fix this?

StackzOfZtuff
  • 2,534
  • 1
  • 28
  • 25
vmonteco
  • 14,136
  • 15
  • 55
  • 86

9 Answers9

114

I faced the same problem in a docker-compose setup.

1. Clear all chains:

sudo iptables -t filter -F
sudo iptables -t filter -X

2. Then restart Docker Service:

systemctl restart docker
Manuel Schmitzberger
  • 5,162
  • 3
  • 36
  • 45
  • 30
    for me `systemctl restart docker` without flushing `iptables` worked just fine! – Zahra Oct 29 '19 at 21:35
  • Restarting the docker daemon worked for me too, thanks! I remember that I had to clear all iptables tables a couple of days ago and it also cleared the tables installed by docker. – OndroMih Oct 20 '20 at 11:16
  • WARNING - Do not do this over SSH as this will clear all your iptables rules and you will be unable to connect back to the server. – Diego Vieira Jun 22 '23 at 09:03
54

Faced the same issue on RHEL 7. Restarting docker service worked for me without a need to flush any iptable rules.

$ sudo systemctl restart docker
Junaid
  • 3,477
  • 1
  • 24
  • 24
48

I believe the issue is within these lines:

iptables -t filter -F

iptables -t filter -X

which indeeds clear all chains. One possible solution is to launch the docker daemon after the iptables setup script. Otherwise you will need to explicitly removes chains you're interested in.

Bernard Vander Beken
  • 4,848
  • 5
  • 54
  • 76
Yoanis Gil
  • 3,022
  • 2
  • 15
  • 22
18

I get same problem, after installing firewalld.

I fix it by:

service firewalld stop
service docker restart
Bernard Vander Beken
  • 4,848
  • 5
  • 54
  • 76
eagle
  • 230
  • 2
  • 2
  • This worked for me, but don't know if there are any major security risks for stoping firewalld. – drab Dec 17 '20 at 12:07
  • This also worked for me, but after restarting docker, I turned the firewall back on, and then started the container. The error message went away at that point. – amphetamachine Feb 05 '21 at 15:27
5

The error may happen because it is trying to affect the iptables "DOCKER" filter chain, but is not there.

The option --iptables=false prevents docker from changing the iptables configuration.

(Source: https://docs.docker.com/v17.09/engine/userguide/networking/default_network/container-communication/#communicating-to-the-outside-world)

If you opt for fixing the iptables docker filter chain, here's how to.

You can actually edit the iptables and add it, so that it looks like in the example here Docker: How to re-create dockers additional iptables rules?

Like this

sudo vi /etc/sysconfig/iptables

Add the ":DOCKER" lines

*nat
:PREROUTING ACCEPT [144:8072]
:INPUT ACCEPT [87:5208]
:OUTPUT ACCEPT [118:8055]
:POSTROUTING ACCEPT [118:8055]
:DOCKER - [0:0]
... your previous rules here ...
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5781:5099614]
:DOCKER - [0:0]
... your previous rules here ...
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT

Restart... e.g. 

service iptables restart

A good "further read" link where it is well explained

https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45

Jose Manuel Gomez Alvarez
  • 1,972
  • 22
  • 29
1

In irc.freenode.net#docker you have stated that you are using Arch Linux ARM on a Raspberry Pi.

If you are not running this script as a part of a systemd service, I would strongly suggest moving to that, or making use of the existing iptables services and using their ability to save/restore the tables at the appropriate times. If you choose to move to your own services, make sure that the unit states that it is ordered Before=docker.service

WarheadsSE
  • 63
  • 5
1

I also faced the same issue. before running docker start mongodb , I was testing ssh service.

below command can solve this issue for me.

iptables -t filter -F

iptables -t filter -X

systemctl restart docker
cursorrux
  • 1,382
  • 4
  • 9
  • 20
piam
  • 19
  • 1
-1

Yes I faced the same issue and as mentioned above below commands worked for me

sudo iptables -t filter -F


sudo iptables -t filter -X


systemctl restart docker
buddemat
  • 4,552
  • 14
  • 29
  • 49
nirajatwork
  • 1
-1

I can confirm that this problem is caused by iptables or firewalld because before my containers stopped I edited my firewall's rules.

iptables -t filter -X
iptables -t filter -F
hyf3513
  • 1