Have you tried restarting docker daemon afterwards?
Best regards, Radek Gruchalski ra...@gruchalski.com (mailto:ra...@gruchalski.com) (mailto:ra...@gruchalski.com) de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) Confidentiality: This communication is intended for the above-named person and may be confidential and/or legally privileged. If it has come to you in error you must take no action based on it, nor must you copy or show it to anyone; please delete/destroy and inform the sender immediately. On Wednesday, 13 April 2016 at 21:53, Alfredo Carneiro wrote: > Hey Rad, > > Thanks for your answer! I have added theses lines and now looks very similar > before. > > iptables -N DOCKER > iptables -A FORWARD -o docker0 -j DOCKER > iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT > iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > However, I am still getting errors. > > docker: Error response from daemon: failed to create endpoint cranky_kilby on > network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d > 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080 > (http://172.17.0.2:8080) ! -i docker0: iptables: No chain/target/match by > that name. > (exit status 1). > > > This is my iptables -L output: > > Chain FORWARD (policy DROP) > target prot opt source destination > DOCKER all -- anywhere anywhere > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > > Chain DOCKER (1 references) > target prot opt source destination > > > I hid the INPUT chain because is very big! > > Best Regards, > > On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <ra...@gruchalski.com > (mailto:ra...@gruchalski.com)> wrote: > > Hi Alfredo, > > > > The only thing you need is: > > > > -A FORWARD -o docker0 -j DOCKER > > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > Radek Gruchalski > > ra...@gruchalski.com (mailto:ra...@gruchalski.com) > > (mailto:ra...@gruchalski.com) > > de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) > > > > Confidentiality: > > This communication is intended for the above-named person and may be > > confidential and/or legally privileged. > > If it has come to you in error you must take no action based on it, nor > > must you copy or show it to anyone; please delete/destroy and inform the > > sender immediately. > > > > > > > > On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: > > > > > Hello guys, > > > > > > I don't know if that is the right place to ask. So, since we use public > > > cloud, we are trying to hardening our servers allowing traffic just from > > > our subnetworks. However, when I tried to implement some iptables rules I > > > got problems with Docker, which couldn't find its chain anymore. > > > > > > Then, I am wondering if anyone has ever implemented any iptables rule in > > > this scenario. > > > > > > I've seen this[1] "tip", however, I think that it is not apply to this > > > case, because it is very "static". > > > > > > [1] - https://fralef.me/docker-and-iptables.html > > > > > > Best Regards, > > > > > > -- > > > Alfredo Miranda > > > > > > -- > Alfredo Miranda
