1

I have a question very similar to this one: Iptables rule-set so that a docker container can access a service on a host IP where my containers are not being allowed to access the host. The problem with the linked stackoverflow accepted answer is that when i run iptables -I INPUT -i docker0 -j Accept my containers are still not given access to the host.

when running dc up docker compose creates a bridged adapter like so:

br-ddc5c71a14aa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:5e:11:84:5b brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-ddc5c71a14aa
       valid_lft forever preferred_lft forever
    inet6 fe80::42:5eff:fe11:845b/64 scope link 
       valid_lft forever preferred_lft forever

and the iptables are adjusted like so:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
11722 1171K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
11722 1171K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (2 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-ddc5c71a14aa br-ddc5c71a14aa  0.0.0.0/0            172.20.0.2           tcp dpt:5432
    0     0 ACCEPT     tcp  --  !br-ddc5c71a14aa br-ddc5c71a14aa  0.0.0.0/0            172.20.0.3           tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-ddc5c71a14aa br-ddc5c71a14aa  0.0.0.0/0            172.20.0.3           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
5006  280K DOCKER-ISOLATION-STAGE-2  all  --  br-ddc5c71a14aa !br-ddc5c71a14aa  0.0.0.0/0            0.0.0.0/0

The only thing that I seem to be able to do to get the containers to access the host is to accept packets from the bridged adapter iptables -I INPUT -i br-ddc5c71a14aa -j ACCEPT.

I'm running fedora 28, Docker version 18.06.1-ce, build e68fc7a, and docker-compose version 1.22.0, build f46880fe. What do i need to do so that docker/docker compose can automatically adjust the iptables to have the host accept packets from the containers?

j will
  • 111
  • 1
  • For troubleshooting purposes, have you tried disabling selinux? `sudo setenforce 0`. If that works, you can then refine the policies (or disable it altogether if you don't mind making Dan Walsh cry https://stopdisablingselinux.com/ ) – Freedom_Ben Oct 04 '18 at 15:34
  • @Freedom_Ben, yes. i've disabled SELinux – j will Oct 04 '18 at 15:35
  • is there a `docker` group, and did you add yourself to it? Check with `groups $(whoami)` and add with `groupadd docker && usermod -a -G groups $(whoami)`. If you added yourself you need to reload groups for it to take effect. Either logout and back in or run `newgrp docker`: – Freedom_Ben Oct 04 '18 at 15:46
  • yes, `groups $(whoami)` returns `username : username wheel docker` – j will Oct 04 '18 at 15:49

0 Answers0