While troubleshooting why my GitLab-CI jobs were failing, I discovered that iptables-persistent was messing up Docker iptables rules.

It appears to me that the iptables-persistent init script is run after the Docker service is started. That causes the iptables rules that Docker implements to be overwritten.

I found several similar topics, including: Change boot order docker server in Ubuntu 14 and Docker and iptables configuration @startup But none appeared to have a solid solution.

I use an Ansible template to set my /etc/iptables/rules.v4 file. Are Docker’s iptables rules always going to be the same? As in, can I save the iptables state after restarting Docker and add the Docker related rules to my Ansible configuration?

Can systemd detect that the rules are gone and initiate a restart?

Could I make Docker wait until after iptables-persistent has run to start? What if iptables-persistent is restarted, can Docker’s systemd server detect that and restart as well?

Does anyone have any other ideas on how to solve this? Well, other than switching OS’s.

root@stagingtest:/etc/iptables# docker --version
Docker version 17.05.0-ce, build 89658be
root@stagingtest:/etc/iptables# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

Just in case someone stumbles across this when searching, I finally figured out how to fix this.

See: https://blog.daknob.net/debian-firewall-docker/

Basically, add iptable rules that nat the traffic from/to docker so that your containers can access the internet, and make sure packets are forwarded between your docker bridge networks and your nic.

I used named bridge networks in my docker-compose files so that I know what iptable rules to add for them.

Note, this solution means Docker is not managing firewall rules at all. You have to do so yourself.