Iptables – Docker containers don’t have internet access until docker service restarts

bridgedockeriptablesnat;systemd

I'm creating a bridge manually, with this command:

docker network create --driver bridge --internal --subnet=172.20.0.0/24 br0

Then i start containers using that bridge parameter --net=br0 --ip=172.20.0.x.

The problem is that those containers don't have internet access, i can't even ping to the outside.

The real issue is related with iptables. When i reboot the server, iptables shows me some rules, and containers don't have internet access.

But when i restart docker service, then iptables have different rules and containers DO have internet access.

I will paste here just the differences between the rule set.

When i reboot the server, this rules appear:

*filter
-A DOCKER-ISOLATION ! -s 172.20.0.0/24 -o br-aa4c507d3f06 -j DROP
-A DOCKER-ISOLATION ! -d 172.20.0.0/24 -i br-aa4c507d3f06 -j DROP
COMMIT

When i restart docker service, those 2 rules dissapear and i see this instead:

*filter
-A FORWARD -o br-aa4c507d3f06 -j DOCKER
-A FORWARD -o br-aa4c507d3f06 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-aa4c507d3f06 ! -o br-aa4c507d3f06 -j ACCEPT
-A FORWARD -i br-aa4c507d3f06 -o br-aa4c507d3f06 -j ACCEPT

-A DOCKER-ISOLATION -i br-aa4c507d3f06 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-aa4c507d3f06 -j DROP
COMMIT

&

*nat
-A POSTROUTING -s 172.20.0.0/24 ! -o br-aa4c507d3f06 -j MASQUERADE
-A DOCKER -i br-aa4c507d3f06 -j RETURN
COMMIT

So, adding them manually is probably a bad idea and i would like to have this working as it should.

Why i have to restart docker service just to load that iptables rules that let containers use internet?

How i can fix this?

The bridge creation should modify iptables rules and i shouldn't have to restart docker service just for that, right?

EDIT:

I have noticed that the bridge creation ONLY adds this rules to iptables:

-A DOCKER-ISOLATION ! -s 172.20.0.0/24 -o br-aa4c507d3f06 -j DROP
-A DOCKER-ISOLATION ! -d 172.20.0.0/24 -i br-aa4c507d3f06 -j DROP

So looks like after bridge creation, i have to restart docker? why?

Best Answer

My bad. I didn't notice i was using --internal. Self-explanatory!

Related Topic