You need a docker chain in the NAT table as well. The output you are showing is in the default table.
Try "iptable -t nat -L" to list all rules and chain in the NAT table. You can add the docker chain in the NAT table "iptable -t nat -N Docker" to create a docker Chain in the NAT table. As Rad suggested restarting the docker daemon would allow Docker to recreate all the iptable chains and rules it needs. That might be a cleaner approach, than trying to insert rules on your own. On Wed, Apr 13, 2016 at 12:53 PM, Alfredo Carneiro < [email protected]> wrote: > Hey Rad, > > Thanks for your answer! I have added theses lines and now looks very > similar before. > > *iptables -N DOCKER* > *iptables -A FORWARD -o docker0 -j DOCKER* > *iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED > -j ACCEPT* > *iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT* > *iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT* > > However, I am still getting errors. > > *docker: Error response from daemon: failed to create endpoint > cranky_kilby on network bridge: iptables failed: iptables --wait -t nat -A > DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080 > <http://172.17.0.2:8080> ! -i docker0: iptables: No chain/target/match by > that name.* > * (exit status 1).* > > This is my iptables -L output: > > *Chain FORWARD (policy DROP)* > *target prot opt source destination * > *DOCKER all -- anywhere anywhere * > *ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED* > *ACCEPT all -- anywhere anywhere * > *ACCEPT all -- anywhere anywhere * > > *Chain OUTPUT (policy ACCEPT)* > *target prot opt source destination * > *ACCEPT all -- anywhere anywhere * > > *Chain DOCKER (1 references)* > *target prot opt source destination* > > I hid the INPUT chain because is very big! > > Best Regards, > > On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <[email protected]> > wrote: > >> Hi Alfredo, >> >> The only thing you need is: >> >> -A FORWARD -o docker0 -j DOCKER >> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT >> -A FORWARD -i docker0 -o docker0 -j ACCEPT >> >> Best regards, >> Radek Gruchalski >> [email protected] <[email protected]> >> de.linkedin.com/in/radgruchalski/ >> >> >> *Confidentiality:*This communication is intended for the above-named >> person and may be confidential and/or legally privileged. >> If it has come to you in error you must take no action based on it, nor >> must you copy or show it to anyone; please delete/destroy and inform the >> sender immediately. >> >> On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: >> >> Hello guys, >> >> I don't know if that is the right place to ask. So, since we use public >> cloud, we are trying to hardening our servers allowing traffic just from >> our subnetworks. However, when I tried to implement some iptables rules I >> got problems with Docker, which couldn't find its chain anymore. >> >> Then, I am wondering if anyone has ever implemented any iptables rule in >> this scenario. >> >> I've seen this[1] "tip", however, I think that it is not apply to this >> case, because it is very "static". >> >> [1] - https://fralef.me/docker-and-iptables.html >> >> Best Regards, >> >> -- >> Alfredo Miranda >> >> >> > > > -- > Alfredo Miranda > -- Avinash Sridharan, Mesosphere +1 (323) 702 5245
