Unable to initialize table 'filter'. Same for nat

[geedon]

Hi, I wonder if you could point me in the right direction here. I'm unable to get any of my config files applied to ipables, even the most simple examples all seem to give me the same errors relating to initializing "Error occurred at line: 2".

My server is running openvpn and I basically want to lock down external access basically making this an intranet group of contaners. But docker wants things public which brings me here. Its worth mentioning that all this worked fine before I turned off iptable support for docker, which is a prerequisite for this I gather. My openvpn server is also confirmed to be working.

Here's an extract of the errors...

docker_firewall    | COMMIT
docker_firewall    |
docker_firewall    |
docker_firewall    | [Wed Jan  9 17:53:23 2019] ERROR: iptables-restore v1.4.21: iptables-restore: unable to initialize table 'filter'
docker_firewall    |
docker_firewall    | Error occurred at line: 2
docker_firewall    | Try `iptables-restore -h' or 'iptables-restore --help' for more information.
docker_firewall    |
docker_firewall    | [Wed Jan  9 17:53:23 2019] commiting to nat table:
docker_firewall    |
docker_firewall    | *nat
docker_firewall    | ################ DFWFW_PREROUTING head:
docker_firewall    | -F DFWFW_PREROUTING
docker_firewall    |
docker_firewall    | ################ wider_world_to_container:
docker_firewall    | # #1: host:80 -> nginx:80 / tcp
docker_firewall    | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -s 91.234.214.2 -j DNAT --to-destination 172.18.0.3:80
docker_firewall    | # #2: host:443 -> nginx:443 / tcp
docker_firewall    | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -s 91.234.214.2 -j DNAT --to-destination 172.18.0.3:443
docker_firewall    | # #3: host:80 -> nginx:80 / tcp
docker_firewall    | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -s 81.140.34.59 -j DNAT --to-destination 172.18.0.3:80
docker_firewall    | # #4: host:443 -> nginx:443 / tcp
docker_firewall    | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -s 81.140.34.59 -j DNAT --to-destination 172.18.0.3:443
docker_firewall    |
docker_firewall    |
docker_firewall    |
docker_firewall    | COMMIT
docker_firewall    |
docker_firewall    |
docker_firewall    | [Wed Jan  9 17:53:23 2019] ERROR: iptables-restore v1.4.21: iptables-restore: unable to initialize table 'nat'

Docker version 18.09.0, build 4d60db4
Debian GNU/Linux 9 \n \l
docker-compose version 1.23.2, build 1110ad01

dfwfw.conf: -

{ "wider_world_to_container": { "rules": [ { "network": "sd_services", "dst_container": "nginx", "filter": "-s 81.140.34.52", "expose_port": 80 }, { "network": "sd_services", "dst_container": "nginx", "filter": "-s 81.140.34.52", "expose_port": 443 } ] }, "container_to_wider_world": { "default_policy": "ACCEPT" }, "container_to_container": { "rules": [ { "network": "sd_services", "src_container": "nginx", "dst_container": "somecontainer", "filter": "-p tcp --dport 80 -m state --state NEW", "action": "ACCEPT" }, { "network": "sd_services", "src_container": "somecontainer", "dst_container": "mariadb", "filter": "-p tcp --dport 3306 -m state --state NEW", "action": "ACCEPT" } ] } }

I've disabled iptables on docker without issue by editing /etc/docker/daemon.json and restarting the server. Something of note is that I'm using ufw firewall and have one post routing entry for my before route which allows me to use myopen vpn server

`# START OPENVPN RULES

NAT table rules

*nat
:POSTROUTING ACCEPT [0:0]

Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

END OPENVPN RULES

`

I can't say I know a great deal about iptables, which is why I was hoping to get your nice container to do this for me. I don't suppose you have any suggestions?

I used the pull request to get your container 'docker pull irsl/dfwfw' but it shows it was updated 20 months ago. Is that right?

Many thanks for any advice you might have!