Docker changes IPtables FORWARD policy to DROP

Question

I've got OpenVPN on Amazon Linux 2 EC2 instance and need to forward packets through it. It works until I start docker on the instance. Then the FORWARD policy turns to DROP and VPN stops working.

[root@ip-... ~]# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)                             <<< See it's ACCEPT
target     prot opt source               destination         

Then I start docker and check again:

[root@ip-... ~]# systemctl start docker

[root@ip-... ~]# iptables -L
Chain FORWARD (policy DROP)                               <<<< Turned to DROP
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

I tried to set the policy in /etc/sysconfig/iptables but that doesn't help.

This seems specific to Amazon Linux 2, I don't seem to have this problem on Ubuntu.

Any ideas?

Answer 1

It's a known behaviour, documented here: Docker on a router

The solution is to add an ACCEPT rule into DOCKER-USER chain:

~ # iptables -I DOCKER-USER -j ACCEPT

To make this change permanent you can put it to /etc/sysconfig/iptables:

*filter
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ACCEPT
COMMIT

This will pre-create the ACCEPT rule and when docker starts and changes the FORWARD policy to DENY the packet forwarding will still work.

Hope that helps :)