If you’re running Docker Compose on a Rocky Linux or RHEL-based server and encounter the following error, it may be caused by a kernel module or iptables configuration issue:

1

failed to create network nginx_default: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-xxxx -j RETURN: iptables: No chain/target/match by that name. (exit status 1))

Cause

By default, Docker uses the DOCKER chain in iptables to configure NAT rules when using the bridge network driver. This error may occur if any of the following conditions are met:

  • The br_netfilter or bridge kernel module is not loaded
  • A conflict exists between iptables and nftables
  • A container is launched before the network is created
  • The system is using the iptables-nft backend

Solution

1. Load Required Kernel Modules

1
2

sudo modprobe br_netfilter
sudo modprobe bridge

To verify:

1
2

lsmod | grep br_netfilter
lsmod | grep bridge

To load them automatically at boot:

1

echo -e "br_netfilter\nbridge" | sudo tee /etc/modules-load.d/docker.conf

2. Switch to iptables-legacy Backend

Docker still prefers iptables-legacy. If your system is using iptables-nft, switch using the following command:

1

sudo alternatives --config iptables

Sample output:

1
2
3
4
5
6
7
8

There are 2 programs which provide 'iptables'.

  Selection    Command
-----------------------------------------------
*+ 1           /usr/sbin/iptables-nft
   2           /usr/sbin/iptables-legacy

Enter to keep the current selection[+], or type selection number: 2

Repeat for the following:

1
2
3

sudo alternatives --config ip6tables
sudo alternatives --config arptables
sudo alternatives --config ebtables

3. Restart Docker

Changes to the iptables backend or kernel modules require Docker to be restarted:

1

sudo systemctl restart docker

If the Issue Persists

  • If firewalld or nftables is active, they may interfere with Docker’s iptables rules. Consider disabling firewalld or configuring it to work alongside iptables.
  • On KVM-based VMs with bridged networking, the host kernel might restrict module loading. Double-check module availability and system policies.

Conclusion

Most Docker Compose network errors like this stem from iptables misconfigurations or missing kernel modules. Following the above steps should resolve the issue in most cases. For RHEL and Rocky Linux systems in particular, switching to iptables-legacy is often the key fix.