# docker: Error response from daemon: driver failed programming external connectivity on endpoint container_name: (iptables failed: iptables --wait -t nat -A DOCKER ! -i docker0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 -m comment --comment "..." failed: iptables: No chain/target/match by that name.) - **ID:** `docker/port-mapping-ipv6-only` - **Domain:** docker - **Category:** network_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Docker's iptables rule insertion fails because the DOCKER chain in the nat table does not exist, often due to Docker being configured to use ip6tables instead of iptables on systems with IPv6 disabled or misconfigured firewall policies. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Docker 20.10.24 | active | — | — | | Docker 24.0.5 | active | — | — | | Docker 25.0.1 | active | — | — | ## Workarounds 1. **Restart the Docker daemon with 'sudo systemctl restart docker' after ensuring the iptables kernel modules are loaded: 'sudo modprobe iptable_nat && sudo modprobe iptable_filter'.** (85% success) ``` Restart the Docker daemon with 'sudo systemctl restart docker' after ensuring the iptables kernel modules are loaded: 'sudo modprobe iptable_nat && sudo modprobe iptable_filter'. ``` 2. **If IPv6 is disabled on the host, configure Docker to use only IPv4 by adding '{"ip6tables": false}' to /etc/docker/daemon.json and restarting Docker.** (90% success) ``` If IPv6 is disabled on the host, configure Docker to use only IPv4 by adding '{"ip6tables": false}' to /etc/docker/daemon.json and restarting Docker. ``` 3. **Reset Docker's network state completely: 'sudo systemctl stop docker', 'sudo rm -rf /var/lib/docker/network', then 'sudo systemctl start docker'. This forces Docker to recreate all network chains.** (80% success) ``` Reset Docker's network state completely: 'sudo systemctl stop docker', 'sudo rm -rf /var/lib/docker/network', then 'sudo systemctl start docker'. This forces Docker to recreate all network chains. ``` ## Dead Ends - **** — Flushing all rules removes the DOCKER chain entirely, which is the root cause; Docker will fail to recreate it if the underlying issue (e.g., missing kernel module) persists. (70% fail) - **** — This disables all port mapping and network isolation, breaking container connectivity; it is not a fix but a workaround that cripples networking. (40% fail) - **** — While this may temporarily fix the error, Docker expects the chain to be created automatically; manual creation may conflict with Docker's internal state and cause instability. (50% fail)