Articles

Fix Docker iptables "No Chain/Target/Match by That Name" Error (2026)

April 16, 2026 4 min read

The Docker daemon failed to manage iptables rules because it couldn’t find specific chains or targets it expected to exist.

This usually means something else is already managing iptables, and Docker’s assumptions are being violated.

Cause 1: iptables-persistent is actively managing rules.

  • Diagnosis: Check if iptables-persistent is running and has rules saved.

    sudo systemctl status netfilter-persistent
sudo iptables-save > ~/iptables-save.bak

    If netfilter-persistent is active and iptables-save outputs rules (not just empty *filter lines), this is likely your culprit.

  • Fix: Temporarily stop iptables-persistent and let Docker manage iptables.

    sudo systemctl stop netfilter-persistent
sudo systemctl disable netfilter-persistent
sudo systemctl stop docker
sudo systemctl start docker

    This allows Docker to create its DOCKER and DOCKER-ISOLATION-STAGE-1 chains without conflict.

  • Why it works: iptables-persistent saves and loads rules on boot, effectively "owning" the iptables state. Stopping it relinquishes control, allowing Docker to initialize its network components cleanly.

Cause 2: ufw (Uncomplicated Firewall) is enabled and managing iptables.

  • Diagnosis: Check if ufw is active.

    sudo ufw status

    If ufw is active, it’s likely interfering.

  • Fix: Disable ufw and allow Docker to manage iptables.

    sudo ufw disable
sudo systemctl restart docker

    You’ll need to re-implement any specific ufw rules you need directly in Docker or via other firewall management tools.

  • Why it works: ufw is a frontend for iptables and manages its own chains. Docker’s attempt to create its standard chains will fail if ufw has already established its own structure and rules.

Cause 3: Manual iptables rules have been added that conflict with Docker’s expected chains.

  • Diagnosis: Inspect your current iptables rules.

    sudo iptables -L -n -v

    Look for any custom chains or rules that might overlap with Docker’s naming conventions (e.g., DOCKER, DOCKER-USER, DOCKER-ISOLATION-STAGE-1).

  • Fix: Remove conflicting custom rules or chains. For example, if you find a custom DOCKER chain, you might remove it:

    sudo iptables -t nat -F DOCKER # If it's in the NAT table
sudo iptables -t filter -F DOCKER # If it's in the filter table
sudo iptables -X DOCKER
sudo systemctl restart docker

    Be cautious when removing rules; back them up first with iptables-save.

  • Why it works: Docker expects to create and control specific chains for its networking. If these chains already exist with different configurations or are deleted entirely due to manual intervention, Docker cannot proceed.

Cause 4: The iptables service is not running or is misconfigured.

  • Diagnosis: Check the status of the iptables service.

    sudo systemctl status iptables

    Also, check if the netfilter-persistent service (which often handles iptables loading) is running.

    sudo systemctl status netfilter-persistent

  • Fix: Ensure the iptables service is enabled and started.

    sudo systemctl enable iptables
sudo systemctl start iptables
# If using netfilter-persistent, ensure it's also running
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
sudo systemctl restart docker

  • Why it works: Docker relies on the underlying iptables binary and its associated services to manage firewall rules. If these services are not active, Docker cannot execute the necessary iptables commands.

Cause 5: Docker’s network configuration is corrupted or not initialized.

  • Diagnosis: Docker’s network configuration is stored in /var/lib/docker/network/. Check for recent modifications or signs of corruption.

    ls -l /var/lib/docker/network/

  • Fix: Remove Docker’s network configuration and let it rebuild.

    sudo systemctl stop docker
sudo rm -rf /var/lib/docker/network/*
sudo systemctl start docker

    Warning: This will remove all custom Docker networks. You will need to recreate them.

  • Why it works: Docker uses this directory to store definitions for its networks, including the iptables rules associated with them. Deleting and recreating allows Docker to re-initialize these configurations from scratch.

Cause 6: Kernel modules for netfilter/iptables are not loaded.

  • Diagnosis: Check if the relevant kernel modules are loaded.

    lsmod | grep ip_tables
lsmod | grep x_tables
lsmod | grep nf_nat

    If these are missing, iptables commands will fail.

  • Fix: Load the necessary modules manually.

    sudo modprobe ip_tables
sudo modprobe x_tables
sudo modprobe nf_nat
sudo systemctl restart docker

    If these modules are not available, your kernel might not be compiled with netfilter support, which is highly unusual for standard Linux distributions.

  • Why it works: These kernel modules provide the core functionality for packet filtering and Network Address Translation (NAT) that iptables uses. Without them, the iptables command-line utility has no backend to interact with.

After resolving the primary iptables issue, you might encounter a "failed to load bridge local traffic filter" error if Docker’s internal bridge networking isn’t fully initialized.

Want structured learning?

Take the full Docker course →