6

I've got OpenVPN on Amazon Linux 2 EC2 instance and need to forward packets through it. It works until I start docker on the instance. Then the FORWARD policy turns to DROP and VPN stops working.

[root@ip-... ~]# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)                             <<< See it's ACCEPT
target     prot opt source               destination         

Then I start docker and check again:

[root@ip-... ~]# systemctl start docker

[root@ip-... ~]# iptables -L
Chain FORWARD (policy DROP)                               <<<< Turned to DROP
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

I tried to set the policy in /etc/sysconfig/iptables but that doesn't help.

This seems specific to Amazon Linux 2, I don't seem to have this problem on Ubuntu.

Any ideas?

KeepLearning
  • 635
  • 7
  • 10

1 Answers1

6

It's a known behaviour, documented here: Docker on a router

The solution is to add an ACCEPT rule into DOCKER-USER chain:

~ # iptables -I DOCKER-USER -j ACCEPT

To make this change permanent you can put it to /etc/sysconfig/iptables:

*filter
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ACCEPT
COMMIT

This will pre-create the ACCEPT rule and when docker starts and changes the FORWARD policy to DENY the packet forwarding will still work.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • 2
    I am commenting here to add that I lost connectivity to my bridged VMs after installing Docker. Also, there is no /etc/sysconfig/iptables on Debian Buster. A package named *iptables-persistent* might address this, but I fixed this problem by adding `iptables -P FORWARD ACCEPT` to /etc/rc.local. – berndbausch Jul 04 '21 at 04:17
  • The same thing happens with ip6tables, but there is no DOCKER-USER chain in ip6tables. – Lamp May 06 '22 at 19:14