Docker and iptables issues

jameshurrell · January 29, 2017, 9:01am

I have an Ubuntu 14.05.5 LTS server with Docker installed:

Client:
 Version:      1.13.0
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:50:17 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.0
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:50:17 2017
 OS/Arch:      linux/amd64
 Experimental: false

I have little experience with Docker and have set this server up to host a couple of websites being developed by a third party developer who has server access.

This developer has asked me “The iptables dropped traffic between the containers. Docker containers are using 172.17.0.0/8 network. Could you please change a default iptables rules by adding the Docker rules that allow all traffic between the Docker containers? Also, containers need access to the Internet for updating their dependencies.”

On further investigation, these are the iptables rules that are in place. Note that previously UFW was enabled but is no longer:

Default filter table:

james@andromeda:~$ sudo iptables -t filter -L -v
Chain INPUT (policy ACCEPT 1235K packets, 505M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 544K  160M DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere
 535K  145M DOCKER     all  --  any    docker0  anywhere             anywhere
 527K  144M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 9366   15M ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
 1252 75120 ACCEPT     all  --  docker0 docker0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1219K packets, 504M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.3           tcp dpt:postgresql
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.4           tcp dpt:afs3-callback
    0     0 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.4           tcp dpt:4001
 6180  388K ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.6           tcp dpt:http

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination
 544K  160M RETURN     all  --  any    any     anywhere             anywhere

Nat table:

james@andromeda:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 3636 packets, 201K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3010  163K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 2959 packets, 160K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 68 packets, 4705 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 384 packets, 23413 bytes)
 pkts bytes target     prot opt in     out     source               destination
  411 25287 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.3           172.17.0.3           tcp dpt:postgresql
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.4           172.17.0.4           tcp dpt:afs3-callback
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.4           172.17.0.4           tcp dpt:4001
    0     0 MASQUERADE  tcp  --  any    any     172.17.0.6           172.17.0.6           tcp dpt:http

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    9   540 RETURN     all  --  docker0 any     anywhere             anywhere
    0     0 DNAT       tcp  --  !docker0 any     anywhere             localhost            tcp dpt:postgresql to:172.17.0.3:5432
    0     0 DNAT       tcp  --  !docker0 any     anywhere             172.17.0.1           tcp dpt:afs3-callback to:172.17.0.4:7001
    0     0 DNAT       tcp  --  !docker0 any     anywhere             172.17.0.1           tcp dpt:4001 to:172.17.0.4:4001
   50  2748 DNAT       tcp  --  !docker0 any     anywhere             anywhere             tcp dpt:http to:172.17.0.6:80

As you can see this is pretty vanilla stuff… Questions:

Is there anything in the iptables configuration that is preventing communication between containers? I read this doc: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#/communication-between-containers and as far as my limited knowledge goes, the issue must be in the “filter” FORWARD chain since the INPUT and OUTPUT policys are set to accept and have no rules in them.
I read this: http://stackoverflow.com/questions/33833488/iptables-rules-break-communication-between-docker-containers and it suggests adding “iptables -A FORWARD -i docker0 -j ACCEPT” to resolve this issue. Thoughts?
The FORWARD policy is set to DROP by default - would this cause the communication to be blocked? I cannot find the option --icc=“false” in the startup options for Docker, so I am unsure what is setting the policy by default to DROP.
What do I need to add to allow the containers to have internet access?

Thanks if anyone has any nuggets of wisdom to help me.