Docker Community Forums

Share and learn in the Docker community.

Issue web access inside docker due iptables on ubuntu

Dear everyone,

I have a problem getting full rest web access and webhook calls running inside a docker container.

Think I need to do some iptables adjustments on the ubuntu v20 host.

First problem was that

“wget commands” ended in a timeout. With the adjustment on the host

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

I was able to get this running.

Is there a way to deactivate the iptables an get the full routing and forwarding running?

Thanks in advance

Docker also sets the policy for the FORWARD chain to DROP. If your Docker host also acts as a router, this will result in that router not forwarding any traffic anymore. If you want your system to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:

$ iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
Prevent Docker from manipulating iptables
It is possible to set the iptables key to false in the Docker engine’s configuration file at /etc/docker/daemon.json, but this option is not appropriate for most users. It is not possible to completely prevent Docker from creating iptables rules, and creating them after-the-fact is extremely involved and beyond the scope of these instructions. Setting iptables to false will more than likely break container networking for the Docker engine.

For system integrators who wish to build the Docker runtime into other applications, explore the moby project.

Setting the default bind address for containers
By default, the Docker daemon will expose ports on the address, i.e. any address on the host. If you want to change that behavior to only expose ports on an internal IP address, you can use the --ip option to specify a different IP address. However, setting --ip only changes the default, it does not restrict services to that IP.


Thanks a lot for your answer.

To be more concrete:
I have a problem with http requests e.g. WGET in a docker container.
The command hangs.

If I exectute this command
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
everything works fine inside the docker container.
But I cannot get this persistent after host reboot. Also not with iptables-persistent.
Always need manually enter the command.

Think there must be a correct solution for that problem?!

Thanks for your help.