Docker firewall rules how to change or disable

I am on debian 8 and I moved the server from an old subnet to a new subnet IP. Problem is when docker starts its injecting iptables rules that assume the old subnet IP. I have struggled for some hours now and cant find where docker is holding this info and googling shows me in-correct or obsolete “help docs”

So I am stuck, where does docker hold the rules so I can fix them? and / or worst case how do I stop docker writing rules? I tried telling docker via systemd but this didnt work,



I had more or less the same issue and here is how I fixed it (ob Ubuntu, but I assume it will be the same on Debian).
I added to the docker daemon the following options (in /etc/sysconfig/docker):

OPTIONS=‘–bip -g /data/docker --iptables=false’

  • –bip sets the IP addresses and netmask for the containers
  • –iptables prevents Docker from modyfing my iptables rules

In the docker systemd unit file (/lib/systemd/system/docker.service), I added this line:

(The script must be executed after the docker daemon is up)

And the script simply looks like:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT

iptables -t nat -A POSTROUTING -s ! -o docker0 -j SNAT --to-source [HOST_IP]
iptables -t nat -A POSTROUTING -s ! -o docker0 -j MASQUERADE


I have a same problem, it’s fixed after follow these steps. Thank you so much!