Docker doesn't create chains rules in Iptables

Docker Engine General
1

Hi,

Apologize, if I’m not sufficient explicit, it’s my first post about docker, be clever, I’m discovering docker.

:right_arrow: The trouble I have, is that docker doesn’t create needed chains in iptables when starting a container on my Ubuntu system 24.04.3.

Before troubles begun, I used docker-compose and it was ok, DOCKER’S chains had been created in iptables.
I also used ufw, wich works fine for me.

Then I decide to reinstall all for best practice, and I had read :

Official docker’s documentation said :

Docker and ufw use iptables in ways that make them incompatible with each other.

:check_box_with_check: I disabled ufw

Official docker’s documentation said :

Docker is only compatible with iptables-nft (…) Firewall rules created with nft are not supported (…) Make sure that any firewall rulesets you use are created with iptables (..), and that you add them to the DOCKER-USER chain

ls -al /usr/sbin/iptables 
lrwxrwxrwx 1 root root 26 févr.  2  2020 /usr/sbin/iptables -> /etc/alternatives/iptables
ls -l /etc/alternatives/iptables 
lrwxrwxrwx 1 root root 22 août  20  2022 /etc/alternatives/iptables -> /usr/sbin/iptables-nft

:check_box_with_check: iptables on my system is iptables-nft

Official docker’s documentation said :

Before you can install Docker Engine, you need to uninstall any conflicting packages, as mentioned :

for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done

:check_box_with_check: Old packages removed

Official docker’s documentation said :

Docker Engine comes bundled with Docker Desktop for Linux. This is the easiest and quickest way to get started.

:check_box_with_check: Docker Desktop Installed

Well. At this moment I have a fresh install.

I launch a new container and restore bdd, it’s running well.

But docker had not create all the docker’s chain rules in iptables refering to the command :

$ sudo iptables –F 
$ sudo iptables -X 
$ sudo iptables -t filter -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

$ docker compose up -d

$ sudo iptables -t filter -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Here, No DOCKER’s chains in iptables !!!

:right_arrow: What i have verified :slight_smile: :

  1. There isn’t any /etc/docker/daemon.json file.
  2. if I write one with this content, it’s the same thing :
{
  "log-level": "error",
  "iptables": true,
  "ip6tables": false,
  "ip-forward": true,
  "ip-masq": true,
  "ipv6": false
}

Here where i am. I’m a little bit confused, it was working before I reinstall all. The main difference, is that Docker Engine is now installed with Docker Desktop as recommanded in the Official docker’s documentation.

Should I have to reinstall all without Docker Desktop ?

Any help would be welcome. Thanks.

Regards.

2

What does your compose file look like?

3

Here it is :

services:
  teslamate:
    image: teslamate/teslamate:latest
    restart: always
    environment:
      - ENCRYPTION_KEY=****
      - DATABASE_USER=****
      - DATABASE_PASS=****
      - DATABASE_NAME=teslamate
      - DATABASE_HOST=database
      - MQTT_HOST=mosquitto
    ports:
      - 4000:4000
    volumes:
      - ./import:/opt/app/import
    cap_drop:
      - all

  database:
    image: postgres:17-trixie
    restart: always
    environment:
      - POSTGRES_USER=****
      - POSTGRES_PASSWORD=****
      - POSTGRES_DB=teslamate
    volumes:
      - teslamate-db:/var/lib/postgresql/data

  grafana:
    image: teslamate/grafana:latest
    restart: always
    environment:
      - DATABASE_USER=****
      - DATABASE_PASS=****
      - DATABASE_NAME=teslamate
      - DATABASE_HOST=database
    ports:
      - 3000:3000
    volumes:
      - teslamate-grafana-data:/var/lib/grafana

  mosquitto:
    image: eclipse-mosquitto:2
    restart: always
      #ports:
      #- 1883:1883
    volumes:
      - mosquitto-conf:/mosquitto/config
      - mosquitto-data:/mosquitto/data

  teslamateagile:
    image: mattjeanes/teslamateagile:latest
    restart: always
    environment:
      - DATABASE_USER=****
      - DATABASE_PASS=****
      - DATABASE_NAME=teslamate
      - DATABASE_HOST=database
      - TeslaMate__UpdateIntervalSeconds=300
      - TeslaMate__GeofenceId=1
      - TeslaMate__EnergyProvider=Octopus
      - TeslaMate__EnergyProvider=EDFTempo
      - EDFTempo__BaseUrl=https://www.api-couleur-tempo.fr/api/joursTempo # EDF Tempo API endpoint
      - EDFTempo__BLUE_HP=0.1552 # Blue day peak hours price (€/kWh)
      - EDFTempo__BLUE_HC=0.1288 # Blue day off-peak hours price (€/kWh)
      - EDFTempo__WHITE_HP=0.1792 # White day peak hours price (€/kWh)
      - EDFTempo__WHITE_HC=0.1447 # White day off-peak hours price (€/kWh)
      - EDFTempo__RED_HP=0.6586 # Red day peak hours price (€/kWh)
      - EDFTempo__RED_HC=0.1518 # Red day off-peak hours price (€/kWh)


volumes:
  teslamate-db:
  teslamate-grafana-data:
  mosquitto-conf:
  mosquitto-data:
4

It seems, my teslamate container is not working very well. The last drive has not been recorded.

It seems these containers have no network.

Wich seems to be verified here :

$ docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "c570327f2abd2225434aafa4a9bca4dab18fbedcdd7d29d59d7fe29a243f573b",
        "Created": "2025-09-10T11:05:20.498494627Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

But by default, without any particular instruction in the compose file, it should be on bridge 0, isn’t it ?

5

ok I progress, I dont know why with such a compose file, but there is a specific bridge for these containers :

$ docker network ls
NETWORK ID     NAME                    DRIVER    SCOPE
97feeb141eac   app-teslamate_default   bridge    local
c570327f2abd   bridge                  bridge    local
3489a104c3bf   host                    host      local
3efba553dc9e   none                    null      local

And each container is configured with an IP from this bridge :

$ docker inspect -f '{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -aq)
/app-teslamate-database-1 - 172.18.0.4
/app-teslamate-grafana-1 - 172.18.0.2
/app-teslamate-mosquitto-1 - 172.18.0.5
/app-teslamate-teslamate-1 - 172.18.0.6
/app-teslamate-teslamateagile-1 - 172.18.0.3

So they should have network.

6

Hi,

I pull and run a nginx container just to see if it helps understand… same troubles, no docker’s chains in iptables.

So I decide to uninstall Docker Desktop (applying official documentation). Then Reboot.

So I install Docker applying Apt method. I test with hello world image : container is working and I have all attended docker’s chains in iptables !!!

At this moment, it seems that installation via docker desktop isn’t working with iptables (on my system).

Now I’m going to try to configure iptables before I could say it’s a victory.

Regards.

7

Since Docker Desktop runs the daemon in a virtual machine, the iptables rules are in that virtual machine. It is not clear why you needed to see those rules, but yes, if you don’t need Docker Desktop’s additional features, you can use Docker CE and everything will be right on your host.

8

Thanks for this explanation. I understand now.

I have to expose 2 services on internet. One is without docker and the other within a docker container.

If I have well understood, I need to push all my iptables rules in the DOCKER-USER chains (I was using UFW in pastime) which will permit to protect/local services as well as containers which do not have to be exposed.

Am I wrong ?

9

Docker’s own port forwarding should be enough. The iptables rules can be used whenever you need something extra, but I have never needed that.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.