The Problem: I have a docker swarm environment consisting of 4 nodes, between the 4 nodes I run about 12 services (containers) and I use Jenkins to deploy the services. UFW is not running in this instance. A few times in the last year I have experienced deploying a service through Jenkins for the container to then loose its entry in the IP table. Not only this but I have seen it affect other containers entries too even though they aren’t the ones being deployed. The result is many bouncing containers and services that do not run.

I have seen online that you can tell docker to never make changes to your system iptables rules, and have to set --iptables=false when the daemon start. However is manually managing IP tables really the way forward?

Does anyone know why this might be? If anyone could shed some light on the docker networking side of things, it would be much appreciated as my docker networking knowledge leaves a lot to be desired.

Thanks in advance.

Disabling Docker’s iptables support is not a practical way forward. In my opinion, the --iptables=false option should be removed since there isn’t a good way to do that and still have Docker’s networking features work properly. Maybe if you had a 100% non-networking container usecase, that option might be appropriate.

In most cases, UFW can play nicely with Docker. I would focus effort on figuring out what is flushing iptables and whether that behavior can be disabled.