External Networks Unreachable

Hello! I have an unusual problem where all docker containers on an Ubuntu host using the default bridge network are unable to reach any network address, including pinging the host’s bridge address on the docker0 interface. I haven’t tried pinging between hosts on the same bridge though. For troubleshooting purposes, I’m simply trying to ping from within the container.

I’ve done a lot of troubleshooting and have found that packets are processed and accepted (on the host) by iptables’s PREROUTING chain in the nat table, but disappear afterwards. The next chain the packets are supposed to go to is the filter table’s FORWARD chain, which never occurs for some reason. The processing simply stops after being accepted by the PREROUTING chain.

I’ve verified that sysctl is allowing forwarding on all ipv4 interfaces, including docker0. The bridge interface looks right as well, as seen through brctl. Also, all the NAT and iptables kernel modules are loaded properly. The container and host’s routing tables are fine as well.

The only way I can get the container to access external networks is by creating it with --network=host. Obviously this is a security concern for me. Any ideas? I’m at my wits end.