moby: Docker fails to create iptables rules?

I’ve installed docker with the get.docker.com script on fedora 22 and I have these messages under journalctl:

Ago 31 13:53:01 localhost.localdomain docker[1591]: time="2015-08-31T13:53:01.475201320+01:00" level=info msg="Firewalld running: true"
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No s

                                                       Try `iptables -h' or 'iptables --help' for more information.
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.4.21: Couldn't load targ

                                                       Try `iptables -h' or 'iptables --help' for more information.
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such 

                                                       Try `iptables -h' or 'iptables --help' for more information.
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
Ago 31 13:53:01 localhost.localdomain firewalld[1232]: 2015-08-31 13:53:01 ERROR: COMMAND_FAILED: '/sbin/iptables -w -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.

docker version
Client:
 Version:      1.8.1
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   d12ea79
 Built:        Thu Aug 13 02:39:27 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.8.1
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   d12ea79
 Built:        Thu Aug 13 02:39:27 UTC 2015
 OS/Arch:      linux/amd64

About this issue

Original URL
State: closed
Created 9 years ago
Comments: 38 (11 by maintainers)

Most upvoted comments

In case it helps anyone, this exact thing happened to me and apparently our infra team restarted iptables and I had to also restart docker to get it working again.

sudo service docker restart

+65

lordmarkm on Jun 21, 2018

the solution is restart docker daemon as thaJeztah mentioned. $systemctl restart docker

+15

GangChenTFS on Mar 5, 2019

@Forestsoft-de what distro are you running on? Do you have firewalld enabled, and was it (re)started after docker was started? If so, then it’s likely that firewalld wiped docker’s IPTables rules. Restarting the docker daemon should re-create those rules.

+11

thaJeztah on Oct 30, 2016

Just ran into this after upgrading to Fedora 32, restarting docker does not seem to fix the problem.

+10

monreal on Jul 4, 2020

It only works if I stop firewalld before starting Docker.

danielkza on Dec 26, 2015

In case it helps anyone, this exact thing happened to me and apparently our infra team restarted iptables and I had to also restart docker to get it working again.

Restarting the Docker service did the trick for me.

audiotecnicality on Jul 29, 2018

@Forestsoft-de looks like the error is shown on docker-compose up, which creates a network, and exposes/publishes container ports. If the DOCKER chain is missing at that point, the error occurs.

If you think it’s not related to firewalld, please open a new issue

thaJeztah on Oct 30, 2016