IPTables blocking docker container internet access on CentOS












0















I have two (virtual) servers running CentOS with Docker installed.



We have installed IPTables and everything works as expected.



I then adapt the service file:
/usr/lib/systemd/system/docker.service



And set the execute command to not adjust the firewall.



ExecStart=/usr/bin/dockerd --iptables=false 


Now if I start a docker container and try to curl an address I get the error
curl: (6) Could not resolve host: google.com; Unknown error



I have the following networks:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


And IPTable rules:



iptables -A INPUT -i docker0 -j ACCEPT
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



What am I missing?









share







New contributor




Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    I have two (virtual) servers running CentOS with Docker installed.



    We have installed IPTables and everything works as expected.



    I then adapt the service file:
    /usr/lib/systemd/system/docker.service



    And set the execute command to not adjust the firewall.



    ExecStart=/usr/bin/dockerd --iptables=false 


    Now if I start a docker container and try to curl an address I get the error
    curl: (6) Could not resolve host: google.com; Unknown error



    I have the following networks:



    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
    3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
    7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
    link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


    And IPTable rules:



    iptables -A INPUT -i docker0 -j ACCEPT
    iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT


    I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



    What am I missing?









    share







    New contributor




    Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      I have two (virtual) servers running CentOS with Docker installed.



      We have installed IPTables and everything works as expected.



      I then adapt the service file:
      /usr/lib/systemd/system/docker.service



      And set the execute command to not adjust the firewall.



      ExecStart=/usr/bin/dockerd --iptables=false 


      Now if I start a docker container and try to curl an address I get the error
      curl: (6) Could not resolve host: google.com; Unknown error



      I have the following networks:



      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
      link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
      3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
      link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
      7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
      link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


      And IPTable rules:



      iptables -A INPUT -i docker0 -j ACCEPT
      iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT


      I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



      What am I missing?









      share







      New contributor




      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I have two (virtual) servers running CentOS with Docker installed.



      We have installed IPTables and everything works as expected.



      I then adapt the service file:
      /usr/lib/systemd/system/docker.service



      And set the execute command to not adjust the firewall.



      ExecStart=/usr/bin/dockerd --iptables=false 


      Now if I start a docker container and try to curl an address I get the error
      curl: (6) Could not resolve host: google.com; Unknown error



      I have the following networks:



      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
      link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
      3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
      link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
      7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
      link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


      And IPTable rules:



      iptables -A INPUT -i docker0 -j ACCEPT
      iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT


      I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



      What am I missing?







      centos iptables docker





      share







      New contributor




      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 mins ago









      Dave AlgerDave Alger

      1012




      1012




      New contributor




      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Dave Alger is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Dave Alger is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f496378%2fiptables-blocking-docker-container-internet-access-on-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Dave Alger is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Dave Alger is a new contributor. Be nice, and check out our Code of Conduct.













          Dave Alger is a new contributor. Be nice, and check out our Code of Conduct.












          Dave Alger is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f496378%2fiptables-blocking-docker-container-internet-access-on-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          CARDNET

          Boot-repair Failure: Unable to locate package grub-common:i386

          濃尾地震