docker版本使用 -m iptables好像有权限问题

[happy4041]

运行的命令是：docker run -d -v /root/jiaoben:/opt2 --restart=always --net=host --name natter_qb nattertool/natter -m iptables -k 5 -e /opt2/qb.sh

错误如下： 2024-01-30 16:32:53 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables table nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available 2024-01-30 16:32:53 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables tablenat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available 2024-01-30 16:32:53 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables table nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available 2024-01-30 16:32:54 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables tablenat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available 2024-01-30 16:32:55 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables table nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available 2024-01-30 16:32:57 [I] Natter v2.0.0-rc1 iptables v1.8.9 (legacy): can't initialize iptables tablenat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. OSError: iptables >= (1, 4, 1) not available

[MikeWang000000]

请阅读文档： https://github.com/MikeWang000000/Natter/blob/master/natter-docker/README.md

参考 “使用 iptables 内核转发” 部分，再尝试报错是否消失？

[happy4041]

您好，我按照您的文档使用了--cap-add=NET_ADMIN --cap-add=NET_RAW 这两个参数启动docker，但好像还是启动不起来。

我补充一下运行这个命令的设备，是在x86 esxi虚拟机群晖的docker里运行的，启动的方式是群晖ssh使用docker命令启动，创建并启动docker容器命令：docker run -d -v /volume1/docker/natter:/opt2 --restart=always --net=host --cap-add=NET_ADMIN --cap-add=NET_RAW --name natter_qb nattertool/natter -m iptables -k 5 -e /opt2/qb.sh

报错如下： 2024-02-01 18:10:37 [I] Natter v2.0.0-rc1 Warning: Extension comment revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. subprocess.CalledProcessError: Command '['iptables', '-w', '-t', 'nat', '-I', 'NATTER', '-p', 'tcp', '--dst', '192.168.1.26', '--dport', '32852', '-j', 'DNAT', '--to-destination', '192.168.1.26:48205', '-m', 'comment', '--comment', 'NATTER_UUID=6ae376e8-b404-4801-ad8d-fa086c29e427']' returned non-zero exit status 1. 2024-02-01 18:11:07 [I] Natter v2.0.0-rc1 Warning: Extension comment revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. subprocess.CalledProcessError: Command '['iptables', '-w', '-t', 'nat', '-I', 'NATTER', '-p', 'tcp', '--dst', '192.168.1.26', '--dport', '38543', '-j', 'DNAT', '--to-destination', '192.168.1.26:48357', '-m', 'comment', '--comment', 'NATTER_UUID=7b1fed1d-12c4-4f9a-84b8-bf035a9693b2']' returned non-zero exit status 1. 2024-02-01 18:12:03 [I] Natter v2.0.0-rc1 Warning: Extension comment revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. subprocess.CalledProcessError: Command '['iptables', '-w', '-t', 'nat', '-I', 'NATTER', '-p', 'tcp', '--dst', '192.168.1.26', '--dport', '39190', '-j', 'DNAT', '--to-destination', '192.168.1.26:48208', '-m', 'comment', '--comment', 'NATTER_UUID=af59bbaf-1ffe-4ee7-8c9e-f6b0a1669aba']' returned non-zero exit status 1. 2024-02-01 18:13:08 [I] Natter v2.0.0-rc1 Warning: Extension comment revision 0 not supported, missing kernel module? iptables: No chain/target/match by that name. subprocess.CalledProcessError: Command '['iptables', '-w', '-t', 'nat', '-I', 'NATTER', '-p', 'tcp', '--dst', '192.168.1.26', '--dport', '39586', '-j', 'DNAT', '--to-destination', '192.168.1.26:48328', '-m', 'comment', '--comment', 'NATTER_UUID=884300f3-c7fe-4ecb-bc9f-64ce34879106']' returned non-zero exit status 1.

[happy4041]

问题解决了，群晖自带的iptables是阉割版，要安装系统缺失的一些iptables模块就好了。