Hello everyone,
I’m experiencing a very persistent and perplexing networking issue with Docker containers on my fresh Ubuntu 24.04 installation. My containers can reach the docker0 bridge, but cannot access the host’s local network gateway (192.168.180.1) or the internet (8.8.8.8, google.com).
I have performed extensive diagnostics and ruled out many common causes. I’m hoping someone here might have encountered a similar issue or can offer new insights.
System Information:
- OS: Ubuntu 24.04 LTS (Desktop) - Recently fresh installed.
- Kernel Version:
6.11.0-26-generic - Docker Version:
28.2.2(tried also28.1.1) - Docker Installation Method: Installed via official APT repository. Multiple attempts to reinstall Docker have been made, but the issue persists.
- Network Interface: Wi-Fi (
wlp0s20f3) docker0bridge IP:172.17.0.1/16
Problem Symptoms:
- From inside a
busyboxcontainer:ping 172.17.0.1(docker0) WORKSping 192.168.180.1(local gateway) FAILS (100% packet loss)ping 8.8.8.8(external DNS) FAILS (100% packet loss)
Diagnostic Steps Taken & Observations:
- IP Forwarding:
sysctl net.ipv4.ip_forwardreturnsnet.ipv4.ip_forward = 1
- iptables Rules:
sudo iptables -L -v -nandsudo iptables -t nat -L -v -nshow standard Docker rules.- The
MASQUERADErule for172.17.0.0/16onPOSTROUTINGis present and active. - No obvious blocking rules were found in the
filtertable.
- tcpdump Analysis (crucial findings):
- On
docker0(inside container:ping 8.8.8.8): sudo tcpdump -i docker0 -n icmpshows172.17.0.2 > 8.8.8.8: ICMP echo request. (Outgoing packets are seen).- NO ICMP echo replies from
8.8.8.8are ever seen ondocker0. - On
wlp0s20f3(host’s external Wi-Fi interface): sudo tcpdump -i wlp0s20f3 -n icmpshows:- Outgoing
192.168.180.48 > 8.8.8.8: ICMP echo request(confirming NAT is working). - Incoming
8.8.8.8 > 192.168.180.48: ICMP echo reply(confirming replies reach the host). - Critically: Host sends
192.168.180.48 > 8.8.8.8: ICMP time exceeded in-transitback to 8.8.8.8 for these reply packets. This indicates the host receives the reply but fails to forward it back to the container before TTL expires.
- Outgoing
- AppArmor Investigation (ruled out as cause):
sudo aa-statusshoweddocker-defaultprofile inenforcemode.- Could not find the
docker-defaultprofile file in/etc/apparmor.d/. sudo aa-disable docker-defaultandsudo aa-complain docker-defaultfailed (looking for an executable path).- Attempted to create
/etc/docker/daemon.jsonwith"apparmor-profile": "unconfined": This caused Docker daemon to fail to start (even with valid JSON syntax and permissions). - Removed
daemon.json, Docker restarted, but the networking problem persisted. - Crucial Test: Globally disabled AppArmor via GRUB (
apparmor=0inGRUB_CMDLINE_LINUX_DEFAULT) and rebooted. sudo aa-statusshowedapparmor module is loadedbutapparmor filesystem is not mounted(confirming it’s effectively disabled).- Problem still persisted: Containers still could not ping external IPs or gateway. This definitively rules out AppArmor.
- Other Firewall/Network Managers:
sudo ufw statusshowsStatus: inactive.NetworkManageris active,systemd-networkdis inactive.
- Routing Table & Docker0 Interface:
ip route showandip addr show docker0outputs confirmed that thedocker0bridge is correctly configured with172.17.0.1/16and the kernel has the correct route for172.17.0.0/16pointing todocker0.
conntrackTable:
- Cleared the
conntracktable (sudo conntrack -F) after stopping Docker, then restarted Docker. Problem still persisted.