docker internet connectivity with iptables=false

Question

I give up. I'm using Docker 1.12.0 under ubuntu 16.04 hardened with UFW.

The machine has 2 interfaces - one public (eth0) and one to private network (eth1)

Server Version: 1.12.3
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 15
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null bridge host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-47-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 488.5 MiB
Name: image-base
ID: 2473:FGJQ:MEEC:CEWY:BSLR:SYB5:EXMO:WJBE:7MMM:DIZH:NJQF:L5NA
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

Just like I did with previous versions I configured "iptables" to be false so docker won't change my firewall.

But in latest versions of docker (11+) this command has a side-effect - after reboot - docker containers stops getting network access (ping www.google.com).

I confirmed it again and again. How to reproduce: - stop docker daemon

sudo systemctl stop docker

I configure iptables=false by adding a file /etc/docker/daemon.json:

{
  "iptables" : false
}

(This is the only configuration there)

Start daemon:

sudo systemctl start docker

docker run --rm python ping www.google.com

Even if it will work for you - if you reboot the system - it will stop working... Do you have any solution?

I checked my iptables rules and after restarting the system I'm missing those rules:

:PREROUTING ACCEPT [8:496]      
:INPUT ACCEPT [0:0]     
:OUTPUT ACCEPT [0:0]        
:POSTROUTING ACCEPT [0:0]       
:DOCKER - [0:0]     
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER        
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER       
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE      
-A POSTROUTING -s 172.18.0.0/16 ! -o br-a0b355ce53ac -j MASQUERADE      
-A DOCKER -i docker0 -j RETURN      
-A DOCKER -i br-a0b355ce53ac -j RETURN
 # same
:DOCKER - [0:0]     
:DOCKER-ISOLATION - [0:0]
# same
    -A FORWARD -j DOCKER-ISOLATION      
-A FORWARD -o docker0 -j DOCKER     
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT      
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT        
-A FORWARD -i docker0 -o docker0 -j ACCEPT      
-A FORWARD -o br-a0b355ce53ac -j DOCKER     
-A FORWARD -o br-a0b355ce53ac -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT      
-A FORWARD -i br-a0b355ce53ac ! -o br-a0b355ce53ac -j ACCEPT        
-A FORWARD -i br-a0b355ce53ac -o br-a0b355ce53ac -j ACCEPT
# same
    -A DOCKER-ISOLATION -i br-a0b355ce53ac -o docker0 -j DROP       
-A DOCKER-ISOLATION -i docker0 -o br-a0b355ce53ac -j DROP       
-A DOCKER-ISOLATION -j RETURN

Thanks!

Answer 1

The docker network model uses iptables to set up internet connectivity for your containers. I would only set iptables=false if you explicitly do not want your containers that are using bridge or overlay network drivers to have any network connectivity at all.

When you start the daemon with iptables=true, it will set up the required rules in your firewall. When docker shuts down, I don't believe it tears those rules down, so they stick around. This is why you get internet connectivity after starting docker back up with iptables=false. If you want to preserve those rules on the next docker startup after a reboot, the best way is to keep iptables=true.