Skip to main content

Resolving Docker Iptables Network Errors

When attempting to run docker compose up -d on a fresh Docker installation or after a firewall reload, the process fails during network creation.

Error Message

failed to create network [network_name]: Error response from daemon: Failed to Setup IP tables: Unable to enable ACCEPT OUTGOING rule: (iptables failed: iptables --wait -t filter -A DOCKER-FORWARD ... No chain/target/match by that name.)

Root Cause Analysis

This error occurs because Docker relies on specific iptables chains (specifically DOCKER and DOCKER-FORWARD) to manage container traffic.

There are two primary reasons these chains go missing:

  1. Fresh Installation: On a new installation, the Docker daemon may start before the networking stack or firewall rules are fully initialised.
  2. Firewall Flush: If you reload a firewall (e.g., ufw, firewalld, or YunoHost's firewall), the system often "flushes" (deletes) all existing rules, including the ones Docker injected. Docker does not automatically recreate these until the service is restarted.

Solutions

Step 1: Restart the Docker Daemon (Primary Fix)

In 90% of cases, simply forcing Docker to re-initialise will recreate the missing chains.

sudo systemctl restart docker

After running this, try your deployment again:

docker compose up -d

Step 2: Clear Stale Networks (If Step 1 Fails)

If the network definition itself is "stuck" in a half-created state:

  1. Identify the network: docker network ls
  2. Remove the specific network: docker network rm [network_name]
  3. Re-run docker compose up -d

Step 3: Service Dependency (Advanced)

If this happens every time you reboot, ensure Docker waits for the firewall to be ready by checking the service unit file, though a manual restart is usually sufficient for one-off fixes.

Best Practices for Information Literacy

  • Order of Operations: Always start or restart your firewall before starting Docker.
  • Documentation: When installing new services (like Memos), always verify that the Docker daemon is fully initialised and healthy using systemctl status docker.
  • Recovery: If you experience "No chain/target/match" errors, your first instinct should be a service restart rather than a system reboot.

No comments to display

Back to top