Up until the latest update, networking between linked containers worked great. Now, it does not.

Here’s my easy test case:

$ rpm -q docker
docker-1.7.0-6.git74e7a7a.fc22.x86_64

In one window:

$ docker run --rm -it --name=one docker.io/busybox /bin/sh
/ # nc -l -p 4444

On the Fedora 22 host:

$ docker inspect one | grep 172
    "Gateway": "172.17.42.1",
    "IPAddress": "172.17.0.11",

$ nc 172.17.0.11 4444
hello

And the “hello” shows up in the “one” container.

Now, on the host again, fire up another container linked with the first:

$ docker run --rm -it --name=two --link one:one docker.io/busybox /bin/sh
/ # 

Now, inside the “two” container:

/ # ping one
PING one (172.17.0.11): 56 data bytes
64 bytes from 172.17.0.11: seq=0 ttl=64 time=0.160 ms
64 bytes from 172.17.0.11: seq=1 ttl=64 time=0.100 ms
^C
--- one ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.100/0.130/0.160 ms

Looks like I can ping the other container, but this:

/ # nc one 4444
nc: can't connect to remote host (172.17.0.11): No route to host
/ #

Up till this last update, this all worked. Any suggestions? I added all this info to the bugzilla bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1244124

Another update for anyone else following this:

Here is a (better) workaround till this gets fixed in the Fedora package:

After bringing up the docker daemon (so the DOCKER) firewall chain is there, as root, run:

iptables -A DOCKER --source 0.0.0.0/0 --destination 172.17.0.0/16 \
  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A DOCKER --destination 0.0.0.0/0 --source 172.17.0.0/16 -j ACCEPT

Now the forwarding works as expected and linked containers work.