FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Article Id 369286
Description This article explains why the Container FortiOS (cFOS) cannot perform source NAT runs in a docker on RedHat Enterprise 9.x Linux VM.
Scope Container FortiOS.
Solution

On RedHat Enterprise 9.x, the default ip_tables module has been replaced by nf_tables. The ip_tables module is now considered 'deprecated' and is not loaded by default, even after installing the iptables package.

 

sysctl sh
#
# iptables -t nat -L -v
iptables v1.8.7 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
#
#
# iptables -t mangle -L -v
iptables v1.8.7 (legacy): can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
#
#

 

Manually loading the module using modprobe ip_tables resolves the issue.

 

[root@localhost ~]# modprobe ip_tables
[root@localhost ~]# docker restart cfos
[root@localhost ~]# docker exec -it cfos /bin/cli

 

On Ubuntu and other distributions, the module is loaded automatically, even without the iptables package installed.

For that module to be loaded on startup automatically, add it to a new file inside /etc/modules-load.d/ by running the following command:

[root@localhost ~]# echo ip_tables > /etc/modules-load.d/ip_tables.conf
[root@localhost ~]# cat /etc/modules-load.d/ip_tables.conf
ip_tables

To ensure that it has been loaded, run the following command:

 

[root@localhost ~]# lsmod | grep ip_tables

ip_tables

 

See the Red Hat documentation for more information on this: Chapter 3. Managing kernel modules | Red Hat Product Documentation