Why is Docker swearing at Iptables?

H

HoHsi2016-01-31 08:34:48

System administration

HoHsi, 2016-01-31 08:34:48

Good afternoon!
I’ll say right away that I’m not a very good admin (and I’ve been using docker for the 2nd hour), and most likely I’m stupid, but Docker swears at Iptable and doesn’t want to forward port 8080.
System : CentOS 7
Kernel :

Linux ****** 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

docker-v :

Docker version 1.9.1, build a34a1d5

dockerinfo :

Containers: 12
Images: 14
Server Version: 1.9.1
Storage Driver: devicemapper
Pool Name: docker-253:1-131382-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem:
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 2.454 GB
Data Space Total: 107.4 GB
Data Space Available: 17.51 GB
Metadata Space Used: 3.293 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.144 GB
Udev Sync Supported: true
Deferred Removal Enabled : false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2015-10-14)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.10.0-327.4.5.el7.x86_64
Operating System: CentOS Linux 7 (Core)
CPUs: 1
Total Memory: 993.1 MiB
Name: *****
ID: * ****
WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

iptables :

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0 :0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state - -state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I run it all:
docker run -d -p 8080:80 node_test_app node ./
Answer:

WARNING: IPv4 forwarding is disabled. Networking will not work.
*****
Error response from daemon: Cannot start container *****: failed to create endpoint high_mcnulty on network bridge: COMMAND_FAILED: '/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination ****.***.****.****:80 ! -i docker0' failed: iptables: No chain/target/match by that name.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Rocklviv, 2016-01-31
@Rocklviv

WARNING: IPv4 forwarding is disabled. Networking will not work.
This message says that you do not have IPv4 forwarding enabled.
Enable on СentOS7:
add net.ipv4.ip_forward = 1 to /usr/lib/sysctl.d/50-default.conf
and restart sysctl: /sbin/sysctl -p
Should solve your problem. Also, after the above, don't forget to restart the docker daemon.

A

aGGre55or, 2016-03-02
@aGGre55or

And further

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

there, to the heap
Then two WARNINGs in docker info will be removed