Issue opening traffic between two Docker networks on the new version on ubuntu

General
1

Hello,

I’m running Ubuntu 24.04 and I’ve had an issue for about a month.

I have several machines communicating across two networks created by Docker, through their gateway (my host), and I apply the following iptables rules:

-A DOCKER-USER -s 192.168.243.0/26 -d 192.168.244.0/24 -p icmp -j ACCEPT
-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.0/26 -p icmp -j ACCEPT

This works with docker.io_27.5.1-0ubuntu3~24.04.2, but as soon as I install docker.io_28.2.2-0ubuntu1~24.04.1_amd64.deb, it stops working. I tested this on a virtual machine and communication no longer works.

I wondered if it was coming from iptables. On the left is version 27.5.1 and on the right the new version. I also doubt it is iptables because even when I reload the old iptables rules, ping still doesn’t work.

Does anyone know how to enable ping between two containers on different networks?`

# Generated by iptables-save v1.8.10 (nf_tables) on Tue Nov 11 14:46:21 2025									     |	# Generated by iptables-save v1.8.10 (nf_tables) on Tue Nov 11 14:47:36 2025
																		     >	*raw
																		     >	:PREROUTING ACCEPT [507:27648]
																		     >	:OUTPUT ACCEPT [0:0]
																		     >	-A PREROUTING -d 192.168.244.2/32 ! -i br-d1199c107174 -j DROP
																		     >	COMMIT
																		     >	# Completed on Tue Nov 11 14:47:36 2025
																		     >	# Generated by iptables-save v1.8.10 (nf_tables) on Tue Nov 11 14:47:36 2025
*filter																			*filter
:INPUT ACCEPT [0:0]																	:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]																	:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]																	:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]																		:DOCKER - [0:0]
																		     >	:DOCKER-BRIDGE - [0:0]
																		     >	:DOCKER-CT - [0:0]
																		     >	:DOCKER-FORWARD - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]															:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]															:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]																	:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER																-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1														     |	-A FORWARD -j DOCKER-FORWARD
-A FORWARD -o br-d1199c107174 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT								     |	-A DOCKER ! -i br-d1199c107174 -o br-d1199c107174 -j DROP
-A FORWARD -o br-d1199c107174 -j DOCKER														     |	-A DOCKER ! -i br-f6ac5497685d -o br-f6ac5497685d -j DROP
-A FORWARD -i br-d1199c107174 ! -o br-d1199c107174 -j ACCEPT											     |	-A DOCKER ! -i docker0 -o docker0 -j DROP
-A FORWARD -i br-d1199c107174 -o br-d1199c107174 -j ACCEPT											     |	-A DOCKER-BRIDGE -o br-d1199c107174 -j DOCKER
-A FORWARD -o br-f6ac5497685d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT								     |	-A DOCKER-BRIDGE -o br-f6ac5497685d -j DOCKER
-A FORWARD -o br-f6ac5497685d -j DOCKER														     |	-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A FORWARD -i br-f6ac5497685d ! -o br-f6ac5497685d -j ACCEPT											     |	-A DOCKER-CT -o br-d1199c107174 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-f6ac5497685d -o br-f6ac5497685d -j ACCEPT											     |	-A DOCKER-CT -o br-f6ac5497685d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT									     |	-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER															     |	-A DOCKER-FORWARD -j DOCKER-CT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT													     |	-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -i docker0 -o docker0 -j ACCEPT													     |	-A DOCKER-FORWARD -j DOCKER-BRIDGE
																		     >	-A DOCKER-FORWARD -i br-d1199c107174 -j ACCEPT
																		     >	-A DOCKER-FORWARD -i br-f6ac5497685d -j ACCEPT
																		     >	-A DOCKER-FORWARD -i docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-d1199c107174 ! -o br-d1199c107174 -j DOCKER-ISOLATION-STAGE-2								-A DOCKER-ISOLATION-STAGE-1 -i br-d1199c107174 ! -o br-d1199c107174 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f6ac5497685d ! -o br-f6ac5497685d -j DOCKER-ISOLATION-STAGE-2								-A DOCKER-ISOLATION-STAGE-1 -i br-f6ac5497685d ! -o br-f6ac5497685d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2										-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN														     <
-A DOCKER-ISOLATION-STAGE-2 -o br-d1199c107174 -j DROP												     <
-A DOCKER-ISOLATION-STAGE-2 -o br-f6ac5497685d -j DROP												     <
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP														-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN														     |	-A DOCKER-ISOLATION-STAGE-2 -o br-f6ac5497685d -j DROP
																		     >	-A DOCKER-ISOLATION-STAGE-2 -o br-d1199c107174 -j DROP
																		     >	-A DOCKER-USER -s 192.168.243.126/32 -d 192.168.243.20/32 -p tcp -m tcp --sport 8200 -j ACCEPT
																		     >	-A DOCKER-USER -s 192.168.243.20/32 -d 192.168.243.126/32 -p tcp -m tcp --dport 8200 -j ACCEPT
																		     >	-A DOCKER-USER -s 192.168.243.126/32 -d 192.168.244.0/24 -p tcp -m tcp --sport 8200 -j ACCEPT
																		     >	-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.126/32 -p tcp -m tcp --dport 8200 -j ACCEPT
																		     >	-A DOCKER-USER -s 192.168.243.0/24 -d 192.168.243.126/32 -p tcp -m multiport --sports 443,80 -j ACCEPT
																		     >	-A DOCKER-USER -s 192.168.243.126/32 -d 192.168.243.0/24 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A DOCKER-USER -s 192.168.243.0/26 -d 192.168.244.0/24 -p icmp -j ACCEPT										-A DOCKER-USER -s 192.168.243.0/26 -d 192.168.244.0/24 -p icmp -j ACCEPT
-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.0/26 -p icmp -j ACCEPT										-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.0/26 -p icmp -j ACCEPT
-A DOCKER-USER -s 192.168.243.0/26 -d 192.168.244.0/24 -p tcp -m tcp --sport 443 -j ACCEPT								-A DOCKER-USER -s 192.168.243.0/26 -d 192.168.244.0/24 -p tcp -m tcp --sport 443 -j ACCEPT
-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.0/26 -p tcp -m tcp --dport 443 -j ACCEPT								-A DOCKER-USER -s 192.168.244.0/24 -d 192.168.243.0/26 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER-USER -s 192.168.243.0/24 -d 192.168.243.126/32 -p tcp -m multiport --sports 443,80 -j ACCEPT							-A DOCKER-USER -s 192.168.243.0/24 -d 192.168.243.126/32 -p tcp -m multiport --sports 443,80 -j ACCEPT
-A DOCKER-USER -s 192.168.243.126/32 -d 192.168.243.0/24 -p tcp -m multiport --dports 443,80 -j ACCEPT							-A DOCKER-USER -s 192.168.243.126/32 -d 192.168.243.0/24 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A DOCKER-USER -j RETURN																-A DOCKER-USER -j RETURN
COMMIT																			COMMIT
# Completed on Tue Nov 11 14:46:21 2025														     |	# Completed on Tue Nov 11 14:47:36 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Nov 11 14:46:21 2025									     |	# Generated by iptables-save v1.8.10 (nf_tables) on Tue Nov 11 14:47:36 2025
*nat																			*nat
:PREROUTING ACCEPT [979:81492]																:PREROUTING ACCEPT [979:81492]
:INPUT ACCEPT [0:0]																	:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [338:26395]															     |	:OUTPUT ACCEPT [345:26943]
:POSTROUTING ACCEPT [338:26395]															     |	:POSTROUTING ACCEPT [345:26943]
:DOCKER - [0:0]																		:DOCKER - [0:0]
																		     >	-A PREROUTING -s 192.168.243.0/26 -d 192.168.196.0/24 -j DNAT --to-destination 192.168.243.22
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER													-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -s 192.168.243.0/26 -d 192.168.196.0/24 -j DNAT --to-destination 192.168.243.22								-A PREROUTING -s 192.168.243.0/26 -d 192.168.196.0/24 -j DNAT --to-destination 192.168.243.22
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER											-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
																		     >	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.244.0/24 ! -o br-d1199c107174 -j MASQUERADE											-A POSTROUTING -s 192.168.244.0/24 ! -o br-d1199c107174 -j MASQUERADE
-A POSTROUTING -s 192.168.243.0/26 ! -o br-f6ac5497685d -j MASQUERADE											-A POSTROUTING -s 192.168.243.0/26 ! -o br-f6ac5497685d -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE											     <
-A DOCKER -i br-d1199c107174 -j RETURN														     <
-A DOCKER -i br-f6ac5497685d -j RETURN														     <
-A DOCKER -i docker0 -j RETURN																-A DOCKER -i docker0 -j RETURN
																		     >	-A DOCKER -i br-f6ac5497685d -j RETURN
																		     >	-A DOCKER -i br-d1199c107174 -j RETURN
COMMIT																			COMMIT
# Completed on Tue Nov 11 14:46:21 2025														     |	# Completed on Tue Nov 11 14:47:36 2025
2

docker.io is maintained by Ubuntu developers. The official way to install Docker CE can be found in the documentation:

https://docs.docker.com/engine/install/ubuntu/

It is based on the Moby project as Docker CE but the two are not the same.

Why do you want traffic between Docker Networks? If you have two compose rpojects and you want containers in one communicate with container sin the other, the standard way is creating an external network (docker network create and attach the network to containers in both compose projects. We have multiple networks to isolate services, so not being able to communicate without an extra, common network is intentional.

1 Like
3

I have the same issue on the docker-ce version.

ron@ron:~$ dpkg -l|grep docker
ii  docker-ce                            5:29.0.0-1~ubuntu.24.04~noble           amd64        Docker: the open-source application container engine
ii  docker-ce-cli                        5:29.0.0-1~ubuntu.24.04~noble           amd64        Docker CLI: the open-source application container engine
ii  docker-ce-rootless-extras            5:29.0.0-1~ubuntu.24.04~noble           amd64        Rootless support for Docker.
ii  docker-compose-plugin                2.40.3-1~ubuntu.24.04~noble             amd64        Docker Compose (V2) plugin for the Docker CLI.


sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            

Chain DOCKER-CT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination         
DOCKER-CT  all  --  anywhere             anywhere            
DOCKER-INTERNAL  all  --  anywhere             anywhere            
DOCKER-BRIDGE  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER-INTERNAL (1 references)
target     prot opt source               destination         

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.243.0/24     192.168.243.126      multiport sports https,http
ACCEPT     tcp  --  192.168.243.126      192.168.243.0/24     multiport dports https,http
ACCEPT     icmp --  192.168.243.0/26     192.168.244.0/24    
ACCEPT     icmp --  192.168.244.0/24     192.168.243.0/26
4

I reverted to version 27 CE and now it works again. Something changed in version 28, either a new method or a bug. For your information, I rolled back the update and set a flag to prevent Docker from being updated on the servers

ron@ron:~/ubuntu2$ dpkg -l |grep docker
ii  docker-ce                            5:27.5.0-1~ubuntu.24.04~noble           amd64        Docker: the open-source application container engine
ii  docker-ce-cli                        5:27.5.0-1~ubuntu.24.04~noble           amd64        Docker CLI: the open-source application container engine
ii  docker-compose-plugin                2.27.1-1~ubuntu.24.04~noble             amd64        Docker Compose (V2) plugin for the Docker CLI.
ron@ron:~/ubuntu2$ docker exec -ti ubuntu20_04_ironmachine_dev_valmir2 /bin/bash
root@be8ce070f509:/# ping 192.168.243.2
PING 192.168.243.2 (192.168.243.2): 56 data bytes
64 bytes from 192.168.243.2: icmp_seq=0 ttl=63 time=0.096 ms
64 bytes from 192.168.243.2: icmp_seq=1 ttl=63 time=0.103 ms
^C--- 192.168.243.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.096/0.100/0.103/0.000 ms
root@be8ce070f509:/# ip addr 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
80: eth0@if81: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:f4:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.244.4/24 brd 192.168.244.255 scope global eth0
       valid_lft forever preferred_lft forever
5

I find since version 29 USE nfttables

I don’t even understand where to put the nftables table information. I go to checking with other ticket :confused:

Into version 28, there are more security :confused:

But It miss an information into which don’t work into 2 br :

iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
6

I never needed to manipulate docker networks, so I don’t think I will be very useful here, but if you want to find what exactly changed, you could try using different Docke versions and see which version breaks the behaviour you knew. Then we can either check the release notes or the source code of Moby..

I also possibly misunderstood your original post. When I read it again, I still think you want two containers in two different networks communicating with eachother, but you wrote “machines”, not “containers”.

But if I understand your first two IP tables rules, you allowedd only icmp packages for pinging. Is that all you need?
And is there a reason why you don’t want a common network for the two containers? Even if I can’t help much with iptables, we could have some ideas for alternative solutions for your original goal.

7

Hello,
I finally pinpointed the exact version where the problem occurs.

With version 28.1.1 (docker-ce-cli_28.1.1-1~ubuntu.24.04~noble_amd64.deb), my ping goes through my host without any issues.
Since version 28.2.0 (docker-ce_28.2.0-1~ubuntu.24.04~noble_amd64.deb), my ping no longer works.

Now we just need to figure out why—maybe a CNI issue?

8

OK

In my Docker Compose file, I added some options, including setting ICC to false.
Now I just need to figure out how it actually works, because with the configuration below I can’t access the internet anymore. If anyone has an idea for adding the exit ? :slight_smile:

networks:
 software_network:
   name: software_network
   driver: bridge
   driver_opts:
     com.docker.network.bridge.default_bridge: "true"
     com.docker.network.bridge.enable_icc: "false"
     com.docker.network.bridge.enable_ip_masquerade: "true"
     com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
     com.docker.network.driver.mtu: "1500"
   ipam:
     driver: default
     config:
       - subnet: 192.168.244.0/24



``
9

So you could check this:

Or maybe you have already done that, but the release notes mention many network-related changes like

  • Add bridge network option "com.docker.network.bridge.trusted_host_interfaces", accepting a colon-separated list of interface names. These interfaces have direct access to published ports on container IP addresses. moby/moby#49832
  • Add daemon option "allow-direct-routing" to disable filtering of packets from outside the host addressed directly to containers. moby/moby#49832

I did not really try to understand the diff, so it could be irrelevant.

Do you think it is related? What did you try to solve with that config?
Wrong MTU can cause problems, but wrong subnets as well. I wouldn’T think of icc unless in combination with something else, but I assume you also tried
enabling and disabling it. What was the config that still worked and what didn’t?

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.