How do you publish ports from a Docker container on a system using nftables?

Question

I have a fairly plain Debian Buster install. Debian Buster uses nftables rather than iptables. If I try and run a container with a published port:

sudo docker run -it --rm --name=port-test -p 1234:1234/tcp debian:jessie-slim

then I get this error:

docker: Error response from daemon: driver failed programming external connectivity on endpoint port-test (941052b9f420df39ac3d191dcbe12e97276703903911e7b5172663e7736d59e0):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 1234 -j DNAT --to-destination 172.17.0.2:1234 ! -i docker0: iptables v1.8.2 (nf_tables): Chain 'DOCKER' does not exist

How do I get port publishing working?

score 0 · Answer 1 · answered Aug 11 '19 at 14:33

0

Please see this issue and comment:

https://github.com/moby/moby/issues/26824#issuecomment-517046804

answered Aug 11 '19 at 14:33

gCoh

2,719
1
22
46

score 0 · Answer 2 · answered Sep 22 '21 at 18:06

0

You can run sudo update-alternatives --config iptables and sudo update-alternatives --config ip6tables (if you use IPv6), and set it to iptables-legacy which is a compatibility mode that Docker can work with.

answered Sep 22 '21 at 18:06

dragon788

3,583
1
40
49

How do you publish ports from a Docker container on a system using nftables?

2 Answers2