Package: docker.io
Followup-For: Bug #865975
The FORWARD chain policy is set to DROP by docker since 1.13.
The verbose (-V) iptables output (which gives interfaces and packet counters)
is:
# iptables -L -v -n
Chain INPUT (policy ACCEPT 281 packets, 14176 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 225 packets, 27980 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
I reproduced the network setup but not the KVM one.I cannot confirm
that forwarding is broken.
Upstream provides:
- a command line switch to docker daemon "--iptables=false"
or a config item in /etc/docker/daemon.json:
{
"iptables": false
}
- upstream also tell to revert the FORWARD policy to ACCEPT byhand ...
but I tested and it stay so on docker restart (even stop and start).
If the box is rebooted the change is lost
as confirmed by
https://docs.docker.com/engine/userguide/networking/default_network/container-communication/
"The iptables settings are lost when the system reboots. If you want the change
to be permanent,
refer to your Linux distribution’s documentation."
Mind we cannot apply it from /etc/rc.local or anything boot related as it has
to be applied
after docker is started ...
with socket activation we activate docker daemon long after boot.
references:
-
https://docs.docker.com/engine/userguide/networking/default_network/container-communication/
Container communication between hosts
For security reasons, Docker configures the iptables rules to prevent
containers from forwarding traffic
from outside the host machine, on Linux hosts. Docker sets the default policy
of the FORWARD chain to DROP.
(...)
Note: In Docker 1.12 and earlier, the default FORWARD chain policy was ACCEPT.
When you upgrade
to Docker 1.13 or higher, this default is automatically changed for you.
- Also from
https://docs.docker.com/engine/userguide/networking/default_network/container-communication/
Communication between containers
(...)
Docker will never make changes to your system iptables rules if you set
--iptables=false when the daemon starts.
Otherwise the Docker server will add a default rule to the FORWARD chain with a
blanket ACCEPT policy
if you retain the default --icc=true, or else will set the policy to DROP if
--icc=false.
Best regards
Alban
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages docker.io depends on:
ii adduser 3.116
ii docker-containerd 0.2.3+git+docker1.13.1~ds1-1
ii docker-runc 1.0.0~rc2+git+docker1.13.1~ds1-2
ii golang-libnetwork 0.8.0-dev.2+git20170202.599.45b4086-3
ii iptables 1.6.1-2+b1
ii libapparmor1 2.11.0-11
ii libc6 2.24-17
ii libdevmapper1.02.1 2:1.02.142-1
ii libsqlite3-0 3.20.1-2
ii libsystemd0 235-2
ii lsb-base 9.20170808
Versions of packages docker.io recommends:
ii ca-certificates 20170717
ii cgroupfs-mount 1.4
ii git 1:2.15.0~rc1-1
ii xz-utils 5.2.2-1.3
Versions of packages docker.io suggests:
ii aufs-tools 1:4.1+20161219-1
ii btrfs-progs 4.13.3-1
ii debootstrap 1.0.91
pn docker-doc <none>
ii rinse 3.2
pn zfs-fuse | zfsutils <none>
-- no debconf information
