RESOLVED
See Archlinux Wiki
I believe I needed to enable network packet forwarding in systemd-networkd
I installed Docker but VMs cannot talk to the network. I’d appreciate any help!
OS: Archlinux
» docker --version
Docker version 29.3.0, build 5927d80c76
» docker network ls
NETWORK ID NAME DRIVER SCOPE
2bb3cc88d35b bridge bridge local
6b1cc2cae677 host host local
104a1c1597df none null local
» docker run --network=2bb3cc88d35b alpine:latest wget 8.8.8.8
Connecting to 8.8.8.8 (8.8.8.8:80)
wget: can't connect to remote host (8.8.8.8): Host is unreachable
» ip addr show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 6e:71:76:80:73:1a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
» ps faux | grep docker | grep -v $USER
root 2901215 0.1 0.4 2309948 75916 ? Ssl 10:02 0:00 \_ /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
docker info
Client:
Version: 29.3.0
Context: default
Debug Mode: false
Server:
Containers: 16
Running: 0
Paused: 0
Stopped: 16
Images: 12
Server Version: 29.3.0
Storage Driver: overlay2
Backing Filesystem: f2fs
Supports d_type: true
Using metacopy: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 301b2dac98f15c27117da5c8af12118a041a31d9.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.19.8-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.5GiB
Name: [...]
ID: 4c5d60fb-7c6e-44c4-a1e6-faccfeb2e240
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: [...]
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptables
docker network inspect
» docker network inspect 2bb3cc88d35b
[
{
"Name": "bridge",
"Id": "2bb3cc88d35b9af190b07435db0186b33820a608d7d7c7c64d48f3f41a901752",
"Created": "2026-04-11T10:02:17.557550151-07:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv4": true,
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {},
"Containers": {},
"Status": {
"IPAM": {
"Subnets": {
"172.17.0.0/16": {
"IPsInUse": 3,
"DynamicIPsAvailable": 65533
}
}
}
}
}
]
iptables rules
» iptables-save
# Generated by iptables-save v1.8.11 on Sat Apr 11 10:12:16 2026
*raw
:PREROUTING ACCEPT [38073:40838008]
:OUTPUT ACCEPT [48320:43571638]
COMMIT
# Completed on Sat Apr 11 10:12:16 2026
# Generated by iptables-save v1.8.11 on Sat Apr 11 10:12:16 2026
*nat
:PREROUTING ACCEPT [505:99637]
:INPUT ACCEPT [505:99637]
:OUTPUT ACCEPT [3581:254156]
:POSTROUTING ACCEPT [3581:254156]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Sat Apr 11 10:12:16 2026
# Generated by iptables-save v1.8.11 on Sat Apr 11 10:12:16 2026
*filter
:INPUT ACCEPT [76218:76988626]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [96877:82486688]
:DOCKER - [0:0]
:DOCKER-BRIDGE - [0:0]
:DOCKER-CT - [0:0]
:DOCKER-FORWARD - [0:0]
:DOCKER-INTERNAL - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-INTERNAL
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-FORWARD -i docker0 -j ACCEPT
COMMIT
# Completed on Sat Apr 11 10:12:16 2026