Docker toolbox - iptables: No chain/target/match by that name.

[JamesWhitlock]

I'm trying to run this on Docker Toolbox v18.09.3 on Windows but am unable to get the image to boot successfully. I've struggling to debug this, would you be able to advise how I might debug this further?

I start the container:

$ docker run --name 'dockerhost' --cap-add=NET_ADMIN --cap-add=NET_RAW --restart on-failure -d qoomon/docker-host

And docker ps reports the container is constantly restarting. Docker logs reports:

$ docker logs dockerhost Docker Host: 172.17.0.1 (default gateway) iptables: No chain/target/match by that name. Docker Host: 172.17.0.1 (default gateway) iptables: No chain/target/match by that name. ...

$ docker -v Docker version 18.09.3, build 774a1f4eee

Disabling the entrypoint and attaching, I found the first call to iptables fails

iptables --table nat --insert PREROUTING --protocol tcp --match multiport --dports 0:65535 --jump DNAT --to-destination 172.17.0.1

Appears tables are empty:

/ # iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

[qoomon]

Unfortunately I have no access to a Windows computer however I found this https://docs.docker.com/docker-for-windows/networking/ you may can play around with some settings.

[qoomon]

Can you resolve host.docker.internal from within docker container?

[JamesWhitlock]

The issue is occuring within a virtualised boot2docker inside VirtualBox so should not be aware of the fact it is running on a windows host.

host.docker.internal does not resolve but it appears to find the gateway correctly 172.17.0.1

I'm not very au fait with iptables but it appears the problem is iptables can't find 'multiport'.

[qoomon]

Which virtual box base image do you use?

On Mon, 5 Aug 2019, 11:33 JamesWhitlock, notifications@github.com wrote:

The issue is occuring within a virtualised boot2docker inside VirtualBox so should not be aware of the fact it is running on a windows host.

host.docker.internal does not resolve but it appears to find the gateway correctly 172.17.0.1

I'm not very au fait with iptables but it appears the problem is iptables can't find 'multiport'.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/qoomon/docker-host/issues/23?email_source=notifications&email_token=AA6HUATDCYF4QAZLLGPCVXTQC7XX3A5CNFSM4II6SUYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3RIDZA#issuecomment-518160868, or mute the thread https://github.com/notifications/unsubscribe-auth/AA6HUAQTUHBDX6UY5VATKCDQC7XX3ANCNFSM4II6SUYA .

[qoomon]

May you can post the output of cat /proc/net/ip_tables_matches ?

[JamesWhitlock]

Docker toolbox uses boot2docker under the hood which is supplied with docker toolbox. Version my version is shipped with is https://github.com/boot2docker/boot2docker/releases/download/v18.09.3/boot2docker.iso

/ # cat /proc/net/ip_tables_matches addrtype conntrack conntrack conntrack state addrtype icmp policy udplite udp tcp

[qoomon]

Well as you already figured out, it's because of the missing multiport module.

Maybe I can install it? or implement a fallback for single nat rules.

[qoomon]

I think I found a way. WDYT

for forwarding_port in $(echo "$FORWARDING_PORTS" | tr ";" " ")
do
  iptables --table nat --insert PREROUTING --protocol tcp \
    --dport "$forwarding_port" --jump DNAT --to-destination $DOCKER_HOST
  iptables --table nat --insert PREROUTING --protocol udp \
    --dport "$forwarding_port" --jump DNAT --to-destination $DOCKER_HOST
done

[qoomon]

just release version 2.3.0

[JamesWhitlock]

Great, it seems to be working. Thank you.

[qoomon]

Glad to hear that.