docker: Error response from daemon: driver failed programming external connectivity on endpoint container_name: (iptables failed: iptables --wait -t nat -A DOCKER ! -i docker0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 -m comment --comment "..." failed: iptables: No chain/target/match by that name.)
ID: docker/port-mapping-ipv6-only
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Docker 20.10.24 | active | — | — | — |
| Docker 24.0.5 | active | — | — | — |
| Docker 25.0.1 | active | — | — | — |
Root Cause
Docker's iptables rule insertion fails because the DOCKER chain in the nat table does not exist, often due to Docker being configured to use ip6tables instead of iptables on systems with IPv6 disabled or misconfigured firewall policies.
generic中文
Docker 的 iptables 规则插入失败,因为 nat 表中的 DOCKER 链不存在,通常是由于在禁用 IPv6 或防火墙策略配置错误的系统上,Docker 被配置为使用 ip6tables 而不是 iptables。
Official Documentation
https://docs.docker.com/network/iptables/Workarounds
-
85% success Restart the Docker daemon with 'sudo systemctl restart docker' after ensuring the iptables kernel modules are loaded: 'sudo modprobe iptable_nat && sudo modprobe iptable_filter'.
Restart the Docker daemon with 'sudo systemctl restart docker' after ensuring the iptables kernel modules are loaded: 'sudo modprobe iptable_nat && sudo modprobe iptable_filter'.
-
90% success If IPv6 is disabled on the host, configure Docker to use only IPv4 by adding '{"ip6tables": false}' to /etc/docker/daemon.json and restarting Docker.
If IPv6 is disabled on the host, configure Docker to use only IPv4 by adding '{"ip6tables": false}' to /etc/docker/daemon.json and restarting Docker. -
80% success Reset Docker's network state completely: 'sudo systemctl stop docker', 'sudo rm -rf /var/lib/docker/network', then 'sudo systemctl start docker'. This forces Docker to recreate all network chains.
Reset Docker's network state completely: 'sudo systemctl stop docker', 'sudo rm -rf /var/lib/docker/network', then 'sudo systemctl start docker'. This forces Docker to recreate all network chains.
中文步骤
确保 iptables 内核模块已加载后重启 Docker 守护进程:'sudo modprobe iptable_nat && sudo modprobe iptable_filter',然后 'sudo systemctl restart docker'。
如果主机上禁用了 IPv6,通过向 /etc/docker/daemon.json 添加 '{"ip6tables": false}' 来配置 Docker 仅使用 IPv4,然后重启 Docker。完全重置 Docker 的网络状态:'sudo systemctl stop docker','sudo rm -rf /var/lib/docker/network',然后 'sudo systemctl start docker'。这将强制 Docker 重新创建所有网络链。
Dead Ends
Common approaches that don't work:
-
70% fail
Flushing all rules removes the DOCKER chain entirely, which is the root cause; Docker will fail to recreate it if the underlying issue (e.g., missing kernel module) persists.
-
40% fail
This disables all port mapping and network isolation, breaking container connectivity; it is not a fix but a workaround that cripples networking.
-
50% fail
While this may temporarily fix the error, Docker expects the chain to be created automatically; manual creation may conflict with Docker's internal state and cause instability.