I'm creating a bridge manually, with this command:
docker network create --driver bridge --internal --subnet=172.20.0.0/24 br0
Then i start containers using that bridge parameter --net=br0 --ip=172.20.0.x.
The problem is that those containers don't have internet access, i can't even ping to the outside.
The real issue is related with iptables. When i reboot the server, iptables shows me some rules, and containers don't have internet access.
But when i restart docker service, then iptables have different rules and containers DO have internet access.
I will paste here just the differences between the rule set.
When i reboot the server, this rules appear:
*filter
-A DOCKER-ISOLATION ! -s 172.20.0.0/24 -o br-aa4c507d3f06 -j DROP
-A DOCKER-ISOLATION ! -d 172.20.0.0/24 -i br-aa4c507d3f06 -j DROP
COMMIT
When i restart docker service, those 2 rules dissapear and i see this instead:
*filter
-A FORWARD -o br-aa4c507d3f06 -j DOCKER
-A FORWARD -o br-aa4c507d3f06 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-aa4c507d3f06 ! -o br-aa4c507d3f06 -j ACCEPT
-A FORWARD -i br-aa4c507d3f06 -o br-aa4c507d3f06 -j ACCEPT
-A DOCKER-ISOLATION -i br-aa4c507d3f06 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-aa4c507d3f06 -j DROP
COMMIT
&
*nat
-A POSTROUTING -s 172.20.0.0/24 ! -o br-aa4c507d3f06 -j MASQUERADE
-A DOCKER -i br-aa4c507d3f06 -j RETURN
COMMIT
So, adding them manually is probably a bad idea and i would like to have this working as it should.
Why i have to restart docker service just to load that iptables rules that let containers use internet?
How i can fix this?
The bridge creation should modify iptables rules and i shouldn't have to restart docker service just for that, right?
EDIT:
I have noticed that the bridge creation ONLY adds this rules to iptables:
-A DOCKER-ISOLATION ! -s 172.20.0.0/24 -o br-aa4c507d3f06 -j DROP
-A DOCKER-ISOLATION ! -d 172.20.0.0/24 -i br-aa4c507d3f06 -j DROP
So looks like after bridge creation, i have to restart docker? why?
