About correct starting order for docker daemon and firewalld daemon

333111000444 · April 13, 2021, 4:53am

Hello,
I installed Docker on CentOS 7 and enabled the automatic startup of the docker daemon service when the CentOS start, using “systemctl enable docker” command.
As a result, the following system startup files have been created.

<< docker.service file >>
# cat /etc/systemd/system/multi-user.target.wants/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
:
After=network-online.target firewalld.service containerd.service
:

Looking at the above file, the docker.service starts after the firewalld.service daemon by default (I haven’t edited the docker.service file. Above was the default.).
However, if it starts docker daemon after firewalld daemon, the following error will occur by firewalld daemon.

Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION’ failed: iptables v1.4.21: Couldn’t load target DOCKER-ISOLATION':No such file or directory#012#012Try iptables -h’ or ‘iptables --help’ for more information.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target DOCKER':No such file or directory#012#012Try iptables -h’ or ‘iptables --help’ for more information.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target DOCKER':No such file or directory#012#012Try iptables -h’ or ‘iptables --help’ for more information.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target DOCKER':No such file or directory#012#012Try iptables -h’ or ‘iptables --help’ for more information.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D PREROUTING’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -F DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -X DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-1’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-1’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -n -L DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER-ISOLATION-STAGE-1’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-1 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-2 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.18.0.0/16 ! -o br-da5bdd39808e -j MASQUERADE’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C DOCKER -i br-da5bdd39808e -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -D FORWARD -i br-da5bdd39808e -o br-da5bdd39808e -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i br-da5bdd39808e -o br-da5bdd39808e -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i br-da5bdd39808e ! -o br-da5bdd39808e -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o br-da5bdd39808e -j DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o br-da5bdd39808e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-1 -i br-da5bdd39808e ! -o br-da5bdd39808e -j DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-2 -o br-da5bdd39808e -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:15 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
…
Apr 12 20:16:16 ybdv10039 dockerd: time=“2021-04-12T20:16:16.271209781+09:00” level=info msg=“Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address”
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER-USER’ failed: iptables: No chain/target/match by that name.
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 12 20:16:16 ybdv10039 firewalld[6055]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER’ failed: iptables: No chain/target/match by that name.

I am using “Firewalld” of CentOS to restrict access to docker container (for redis), but when the above error occurs, the access restriction does not work properly.

As a result of our verification, if firewalld daemon started after docker daemon started at first, no error occurs and firewalld is able to work access restrictions correctly.

Is [After=firewalld.service] in docker.service file above correct?

<< Version Information >>>
CentOS: 7
Docker: Docker Engine - Community 19.03.15

Best regards,

praweenranjan · May 27, 2021, 2:08pm

I am facing the same problem. Did you find any solution?