Docker Community Forums

Share and learn in the Docker community.

When I enable firewalld.service, container cannot ping another container on different host


(Samfisher1) #1

I’m using flannel network on 2 CentOS7 hosts, now I find a question.
When I disable firewalld.service, the container fbox1(172.30.29.2) on docker1 host can ping container fbox2(172.30.53.2) on docker2 host. It seems OK, but when I start firewalld.service, I found the fbox1 cannot ping fbox2.

plz help me modify the iptables policy, thx~~~~~

[root@docker1 ~]# ip r
default via 192.168.205.2 dev eno16777736 proto static metric 102
169.254.0.0/16 dev ens37 proto kernel scope link src 169.254.134.39 metric 101
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1
172.30.0.0/16 dev flannel.1
172.30.29.0/24 dev docker0 proto kernel scope link src 172.30.29.1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.205.0/24 dev eno16777736 proto kernel scope link src 192.168.205.135 metric 102
224.0.0.0/4 dev ens37 proto static scope link metric 101

[root@docker2 ~]# ip r
default via 192.168.0.1 dev ens37 proto dhcp metric 103
default via 192.168.205.2 dev eno16777736 proto static metric 104
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1
172.30.0.0/16 dev flannel.1
172.30.53.0/24 dev docker0 proto kernel scope link src 172.30.53.1
192.168.0.0/24 dev ens37 proto kernel scope link src 192.168.0.103 metric 103
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.205.0/24 dev eno16777736 proto kernel scope link src 192.168.205.136 metric 104

when I stop firewalld.service, the container fbox1 can ping fbox2:

[root@docker1 ~]# docker exec fbox1 ping 172.30.53.2
PING 172.30.53.2 (172.30.53.2): 56 data bytes
64 bytes from 172.30.53.2: seq=0 ttl=62 time=0.586 ms
64 bytes from 172.30.53.2: seq=1 ttl=62 time=0.935 ms

but when I start firewalld.service, it cann’t ping fbox2:

[root@docker1 ~]# docker exec fbox1 ping -c 2 172.30.53.2
PING 172.30.53.2 (172.30.53.2): 56 data bytes
2 packets transmitted, 0 packets received, 100% packet loss

my iptables policy:

[root@docker1 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:bootps
ACCEPT tcp – anywhere anywhere tcp dpt:bootps
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
INPUT_direct all – anywhere anywhere
INPUT_ZONES_SOURCE all – anywhere anywhere
INPUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all – 192.168.122.0/24 anywhere
ACCEPT all – anywhere anywhere
REJECT all – anywhere anywhere reject-with icmp-port-unreachable
REJECT all – anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
FORWARD_direct all – anywhere anywhere
FORWARD_IN_ZONES_SOURCE all – anywhere anywhere
FORWARD_IN_ZONES all – anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all – anywhere anywhere
FORWARD_OUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp dpt:bootpc
OUTPUT_direct all – anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (3 references)
target prot opt source destination
FWDI_public_log all – anywhere anywhere
FWDI_public_deny all – anywhere anywhere
FWDI_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhere

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (3 references)
target prot opt source destination
FWDO_public_log all – anywhere anywhere
FWDO_public_deny all – anywhere anywhere
FWDO_public_allow all – anywhere anywhere

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (3 references)
target prot opt source destination
IN_public_log all – anywhere anywhere
IN_public_deny all – anywhere anywhere
IN_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhere

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

[root@docker1 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all – anywhere anywhere
PREROUTING_ZONES_SOURCE all – anywhere anywhere
PREROUTING_ZONES all – anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all – anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all – 192.168.122.0/24 base-address.mcast.net/24
RETURN all – 192.168.122.0/24 255.255.255.255
MASQUERADE tcp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all – 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all – anywhere anywhere
POSTROUTING_ZONES_SOURCE all – anywhere anywhere
POSTROUTING_ZONES all – anywhere anywhere

Chain OUTPUT_direct (1 references)
target prot opt source destination

Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all – anywhere anywhere [goto]
POST_public all – anywhere anywhere [goto]
POST_public all – anywhere anywhere [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain POSTROUTING_direct (1 references)
target prot opt source destination

Chain POST_public (3 references)
target prot opt source destination
POST_public_log all – anywhere anywhere
POST_public_deny all – anywhere anywhere
POST_public_allow all – anywhere anywhere

Chain POST_public_allow (1 references)
target prot opt source destination

Chain POST_public_deny (1 references)
target prot opt source destination

Chain POST_public_log (1 references)
target prot opt source destination

Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all – anywhere anywhere [goto]
PRE_public all – anywhere anywhere [goto]
PRE_public all – anywhere anywhere [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain PREROUTING_direct (1 references)
target prot opt source destination

Chain PRE_public (3 references)
target prot opt source destination
PRE_public_log all – anywhere anywhere
PRE_public_deny all – anywhere anywhere
PRE_public_allow all – anywhere anywhere

Chain PRE_public_allow (1 references)
target prot opt source destination

Chain PRE_public_deny (1 references)
target prot opt source destination

Chain PRE_public_log (1 references)
target prot opt source destination