Score:1

Server

Issues between docker and firewalld/iptables

dan

8/21/23, 5:02 AM

OpenSUSE 15.3 user here. I broke the default rules created by docker on iptables and can't figure out how to repair this. I tried reinstalling docker already. Here is what happens:

vm-dev:~ # systemctl start docker

vm-dev:~ # tail /var/log/messages | grep firewalld
2022-04-21T00:53:25.607359-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.610567-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.614009-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.646315-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.649905-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.705446-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.890988-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Then, everytime I do firewall-cmd --reload, I get:

2022-04-21T00:53:35.536326-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Here is some additional info from the comments:

vm-dev:~ # iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Some additionnal info requested by @4snok:

vm-dev:~ # find /etc/firewalld/ -name "*.xml"
/etc/firewalld/lockdown-whitelist.xml
/etc/firewalld/zones/public.xml
/etc/firewalld/zones/trusted.xml
/etc/firewalld/zones/docker.xml

vm-dev:~ # cat /etc/firewalld/zones/docker.xml
<?xml version="1.0" encoding="utf-8"?>
<zone version="1.0" target="ACCEPT">
  <short>docker</short>
  <description>zone for docker bridge network interfaces</description>
  <interface name="docker0"/>
</zone>

I have no docker currently running. In fact, I uninstalled docker, deleted /var/lib/docker completely, then reinstalled and the errors are still present. The docker0 interface is in the docker zone in firewalld. I don't see anything special in there. What do I need to do to fix these errors? Any help would be appreciated.

165

0 + 0

linux

iptables

opensuse

firewalld

docker

Stephan Pieterse

8/21/23, 7:52 AM

From the first error, do you have a chain in iptables called DOCKER? `iptables -t nat --list` should show it when run with `sudo`. If it's not there you can try adding it with `iptables -t nat -N DOCKER` and trying again.

dan

8/22/23, 1:26 AM

@StephanPieterse `DOCKER` is there, I added the output to the main post.

BMitch

8/25/23, 12:02 AM

What failures are you experiencing? Those are warnings, and I'd question if warning is probably a bit too excessive for that log message. Info would probably be more appropriate.

dan

8/25/23, 9:53 PM

The warnings weren't there after a fresh install. I'm not experiencing any failures however, just warnings in logs that are monitored by Nagios...

4snok

8/29/23, 4:27 PM

D F & X flags remove rules. Essentially docker is trying to delete nonexistent rules :)

dan

8/30/23, 7:07 AM

@4snok this is when the docker service is launched, or whenever the firewall is reloaded. What do I have to edit in firewalld to prevent it trying to delete a rule when it is reloaded?

4snok

8/30/23, 12:00 PM

check this file /etc/firewalld/direct.xml, it should contain your problem rules.

4snok

8/30/23, 12:01 PM

if it's a dev server, you can remove this file and reinstall docker

dan

9/1/23, 1:03 AM

@4snok I edited my original message with the content of /etc/firewalld/, there is no direct.xml. I also tried deleting docker.xml but that didn't help either.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Issues between docker and firewalld/iptables

TH: ปัญหาระหว่างนักเทียบท่าและ firewalld/iptables

RO: Probleme între docker și firewalld/iptables

RU: Проблемы между докером и firewalld/iptables

VI: Các vấn đề giữa docker và tường lửa/iptables

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.