Docker is failing to create new networks because of IP tables there are no other firewalls on the server

VERSION=“22.04.2 LTS (Jammy Jellyfish)”

Docker version 28.0.2, build 0442a73

when I run docker compose up -d I have this error
failed to create network streamlit-app_default: Error response from daemon: Failed to Setup IP tables: Unable to enable ACCEPT OUTGOING rule: (iptables failed: iptables --wait -t filter -A DOCKER-FORWARD -i br-8763c55b5500 -j ACCEPT: iptables: No chain/target/match by that name.

I have run sysremctl restart docker, iptables --flush and still have the same error.
Please help I am running out of options has this service used to work initially .

Here are the last set of logs

Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.755543815+01:00" level=debug msg="error response for GET request" error-response="network streamlit-app_default not found" method=GET module=api request-url=/v1.48/networks/streamlit-app_default spanID=d3b0017a6e128099 status=404 traceID=ba35d2c2e1ae2aa2d735641af8eb5497 vars="map[id:streamlit-app_default version:1.48]"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.756054333+01:00" level=debug msg="handling GET request" method=GET module=api request-url="/v1.48/networks?filters=%7B%22name%22%3A%7B%22streamlit-app_default%22%3Atrue%7D%7D" spanID=ee20477de5cdc205 traceID=ba35d2c2e1ae2aa2d735641af8eb5497 vars="map[version:1.48]"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.756704677+01:00" level=debug msg="handling POST request" method=POST module=api request-url=/v1.48/networks/create spanID=7a40246c35ebc20d traceID=ba35d2c2e1ae2aa2d735641af8eb5497 vars="map[version:1.48]"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.756921997+01:00" level=debug msg="Allocating IPv4 pools for network streamlit-app_default (8763c55b5500d5240256cf4e313cf91742898f74b811b920a5fd4e5066935b03)"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.757117291+01:00" level=debug msg="RequestPool: {AddressSpace:LocalDefault Pool: SubPool: Options:map[] Exclude:[10.88.2.0/24 10.200.100.0/24 169.254.0.0/16 172.17.0.0/16 172.25.15.7/32 172.25.15.68/32 172.25.30.0/24] V6:false}"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.757146127+01:00" level=debug msg="RequestAddress(LocalDefault/172.18.0.0/16, <nil>, map[RequestAddressType:com.docker.network.gateway])"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.757161743+01:00" level=debug msg="Request address PoolID:172.18.0.0/16 Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:invalid IP "
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.757231357+01:00" level=debug msg="Did not find any interface with name br-8763c55b5500: Link not found"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.757251751+01:00" level=debug msg="Setting bridge mac address to f6:48:d9:8c:dc:04"
Mar 25 09:46:11 cacti dockerd[1582367]: time="2025-03-25T09:46:11.758750088+01:00" level=debug msg="Assigning address to bridge interface br-8763c55b5500: 172.18.0.1/16"

On debian based Linux, the following commands can give us some idea and recognize incorrectly installed Docker:

docker info
docker version

Review the output before sharing and remove confidential data if any appears (public IP for example)

dpkg -l 'docker*' | grep '^ii'
snap list docker

When you share the outputs, always format your posts according to the following guide: How to format your forum posts
(I edited your first post, you can check the edit history to see how I added code blocks)

Thank you @rimelek , taking note of that.
running docker info

Client: Docker Engine - Community
 Version:    28.0.2
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.22.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 0
  Paused: 0
  Stopped: 3
 Images: 2
 Server Version: 28.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.2.4-0-g6c52b3f
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-52-generic
 Operating System: Ubuntu 22.04.2 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 5.788GiB
 Name: cacti
 ID: 33117cea-00d9-43b2-bf90-5a943f2e4421
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

and 'dpkg -l ‘docker*’ | grep ‘^ii’ gives the following output

ii  docker                    1.5-2                         all          transitional package
ii  docker-buildx-plugin      0.22.0-1~ubuntu.22.04~jammy   amd64        Docker Buildx cli plugin.
ii  docker-ce                 5:28.0.2-1~ubuntu.22.04~jammy amd64        Docker: the open-source application container engine
ii  docker-ce-cli             5:28.0.2-1~ubuntu.22.04~jammy amd64        Docker CLI: the open-source application container engine
ii  docker-ce-rootless-extras 5:28.0.2-1~ubuntu.22.04~jammy amd64        Rootless support for Docker.
ii  docker-compose-plugin     2.34.0-1~ubuntu.22.04~jammy   amd64        Docker Compose (V2) plugin for the Docker CLI.

Thank you. sorry for the slow response. So we know now that you are using the official Docker CE on Ubuntu 22.04. That should work. There are newer versions which you can install to see if it was fixed. 28.0.4 is the latest. I tested only on Ubuntu 24.04. You could also check if you have an uptodate iptables.

But I think the error means that the DOCKER-FORWARD chain is missing from the rules so it cannot be updated when you add a new docker network and Docker Compose does it. The chain can be missing because another tool deletes it. It can be a virtualization software or firewall or any security tool.

You can read about iptables related topics in the documentation

Incorrect iptables rules are usually fixed when the docker daemon is restarted, since it generates new rules then, but if you had anything to change the rules, it will break that.

If you wan to check the current rules are, you can run

iptables -S

And this is how it looks like normally

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-BRIDGE
-N DOCKER-CT
-N DOCKER-FORWARD
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-FORWARD -i docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-USER -j RETURN

And you can see the DOCKER-FORWARD chain there. I deleted the chain and tried to create a docker network and I got the same error as you.

Just started seeing similar behavior 28.04 on arch. No errors in docker-compose start, but docker is failing to create iptables forwards for its network on startup. Not seeing an error in journalctl for this either. I’m manually working around this with

sudo iptables -I FORWARD 1 -s 172.19.0.0/16 -j ACCEPT
sudo iptables -I FORWARD 1 -d 172.19.0.0/16 -j ACCEPT

after inspecting docker network to get the ip subclass

Hi @rimelek iptables - doesn’t show me any DOCKER-FORWARD chain on iptable and doing a
systemctl restart docker the error still persists.

doing a systemctl status docker show the following

Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.115714281+01:00" level=warning msg="error locating sandbox id cc1ffd3318fdc2d7be8309b88622a0273>
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.115749676+01:00" level=warning msg="error locating sandbox id ab998f75812ef7b942a90c81bcfe5015c>
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.115801716+01:00" level=info msg="Loading containers: done."
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.136072845+01:00" level=info msg="Docker daemon" commit=bea4de2 containerd-snapshotter=false sto>
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.136121865+01:00" level=info msg="Initializing buildkit"
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.203877290+01:00" level=info msg="Completed buildkit initialization"
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.207354896+01:00" level=info msg="Daemon has completed initialization"
Mar 25 11:50:38 cacti dockerd[1617691]: time="2025-03-25T11:50:38.207404292+01:00" level=info msg="API listen on /run/docker.sock"
Mar 25 11:50:38 cacti systemd[1]: Started Docker Application Container Engine.

You can try to update to the latest version, but all I can say is that the most likely scenario I can imagine is that something detects the IP tables change and deletes what Docker added.

It is also possible to disable iptables as described in the previously shared packet filtering and firewalls documentation, but then Docker would not fail to create a network either and it could lead to other issues so it is not likely to be related to the missing FORWARD chain. Do you see any Docker related chain or rule at all?

Hello @rimelek , I have decided to bring up a new VM to run my workload as none of yhe solutions we have discussed above worked for me.