IPTables blocking docker container internet access on CentOS












0















I have two (virtual) servers running CentOS with Docker installed.



We have installed IPTables and everything works as expected.



I then adapt the service file: /usr/lib/systemd/system/docker.service



And set the execute command to not adjust the firewall.



ExecStart=/usr/bin/dockerd --iptables=false 


Now if I start a docker container and try to curl an address I get the error curl: (6) Could not resolve host: google.com; Unknown error



I have the following networks:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


And IPTable rules:



iptables -A INPUT -i docker0 -j ACCEPT
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



What am I missing?










share|improve this question



























    0















    I have two (virtual) servers running CentOS with Docker installed.



    We have installed IPTables and everything works as expected.



    I then adapt the service file: /usr/lib/systemd/system/docker.service



    And set the execute command to not adjust the firewall.



    ExecStart=/usr/bin/dockerd --iptables=false 


    Now if I start a docker container and try to curl an address I get the error curl: (6) Could not resolve host: google.com; Unknown error



    I have the following networks:



    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
    3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
    7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
    link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


    And IPTable rules:



    iptables -A INPUT -i docker0 -j ACCEPT
    iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT


    I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



    What am I missing?










    share|improve this question

























      0












      0








      0








      I have two (virtual) servers running CentOS with Docker installed.



      We have installed IPTables and everything works as expected.



      I then adapt the service file: /usr/lib/systemd/system/docker.service



      And set the execute command to not adjust the firewall.



      ExecStart=/usr/bin/dockerd --iptables=false 


      Now if I start a docker container and try to curl an address I get the error curl: (6) Could not resolve host: google.com; Unknown error



      I have the following networks:



      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
      link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
      3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
      link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
      7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
      link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


      And IPTable rules:



      iptables -A INPUT -i docker0 -j ACCEPT
      iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT


      I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



      What am I missing?










      share|improve this question














      I have two (virtual) servers running CentOS with Docker installed.



      We have installed IPTables and everything works as expected.



      I then adapt the service file: /usr/lib/systemd/system/docker.service



      And set the execute command to not adjust the firewall.



      ExecStart=/usr/bin/dockerd --iptables=false 


      Now if I start a docker container and try to curl an address I get the error curl: (6) Could not resolve host: google.com; Unknown error



      I have the following networks:



      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
      link/ether 00:23:7d:e9:c3:58 brd ff:ff:ff:ff:ff:ff
      3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
      link/ether 02:42:ff:62:c5:5f brd ff:ff:ff:ff:ff:ff
      7: vethc4abff6@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
      link/ether 02:ba:1c:a3:6d:fc brd ff:ff:ff:ff:ff:ff link-netnsid 0


      And IPTable rules:



      iptables -A INPUT -i docker0 -j ACCEPT
      iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
      iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT


      I expected this to allow internet access from the containers - and this seems to work perfectly on the other CentOS server.



      What am I missing?







      centos iptables docker






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 25 at 7:16









      Dave AlgerDave Alger

      1013




      1013






















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398229%2fiptables-blocking-docker-container-internet-access-on-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398229%2fiptables-blocking-docker-container-internet-access-on-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          RAC Tourist Trophy