Author: David Goodwin

docker-ce + Debian Buster + iptables

docker doesn’t work on Debian Buster by default, thanks to nft …

I found docker wouldn’t start for me on my Buster desktop.
journalctl -u docker -f showed :

Aug 15 09:35:50 walnut dockerd[28612]: failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain DOCKER: iptables failed: iptables -t nat -N DOCKER: iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or 

Aug 15 09:35:50 walnut dockerd[28612]:  (exit status 4)

Fixing, yet again, seems a case of replacing nft/nftables stuff with the legacy iptables counterparts –

update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy

fail2ban, Debian buster/10 and iptables vs nftables

Buster forces a move to nftables, unfortunately fail2ban thinks it’s still using iptables, so nothing gets blocked. To fix ….

Buster forces a move to nftables, unfortunately fail2ban thinks it’s still using iptables, so nothing gets blocked. To fix ….

(fail2ban in Buster also seems to require systemd – and no longer reads from e.g. /var/log/mail.log, which is a bit disappointing but oh well…)

After messing about trying to get nftables working – where trying to use the default /etc/nftables.conf file just results in an error a bit like :

/etc/nftables.conf:6:15-19: Error: Could not process rule: No such file or directory

        chain input {

I gave up, and found the Debian Wiki Page which gives :

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Which now allows fail2ban to actualy block things (via /var/log/fail2ban.log etc).