Docker Community Forums

Share and learn in the Docker community.

How to update native docker firewall rules in linux?

docker

(Muthu329024) #1

Hello Champs!

I have native docker running on linux… There are two running containers with published ports(80,8081)…
when I try ‘wget’ from one container to another getting error " No route to host " .

When I disable to firewall, it works fine… I’m sure i need to do something iptables rules but not sure excatly what to do…

[root ~]$ docker exec -it gitlab /bin/bash
root@gitlabpoc:/# ping -c 2 10.144.3.35
PING 10.144.3.35 (10.144.3.35) 56(84) bytes of data.
64 bytes from 10.144.3.35: icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from 10.144.3.35: icmp_seq=2 ttl=64 time=0.081 ms

— 10.144.3.35 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.081/0.100/0.120/0.021 ms
root@gitlabpoc:/# telnet 10.144.3.35 8081
Trying 10.144.3.35…
telnet: Unable to connect to remote host: No route to host
root@gitlabpoc:/# exit
exit

#######################

[root ~]$ service iptables stop
Redirecting to /bin/systemctl stop iptables.service

[root ~]$ docker exec -it gitlab /bin/bash
root@gitlabpoc:/# telnet 10.144.3.35 8081
Trying 10.144.3.35…
Connected to 10.144.3.35.
Escape character is ‘^]’.

#######################################################


[root ~]$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root ~]$ service iptables stop
Redirecting to /bin/systemctl stop iptables.service
[root ~]$ service iptables start
Redirecting to /bin/systemctl start iptables.service
[root ~]$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
ACCEPT all – 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root ~]$

if IPTABLES is stopped then…

[root ~]$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root ~]$

So my question is: how to change policy rule to ACCEPT the Chain FORWARD request ??