With INPUT set to DROP in both iptables and ip6tables, IPv4 curl works but IPv6 curl doesn’t

cocoww · August 12, 2025, 8:24pm

Hi all,

When I access my site using curl -4 www.xxx, it works even though the INPUT chain in iptables is set to DROP.
However, when I set the INPUT chain in ip6tables to DROP, curl -6 www.xxx no longer works.
Both iptables and ip6tables have identical configurations. Could someone help me understand why IPv4 traffic is allowed while IPv6 traffic is blocked under these conditions?

(However, when I set the INPUT chain in ip6tables to ACCEPT, curl -6 works, but this is not the desired behavior.)

Thank you in advance for your help!

bluepuma77 · August 12, 2025, 10:04pm

When you publish a port of a Docker container, usually Docker will set firewall rules for it to work. Have you done both of your firewall changes before or during container run?

rimelek · August 12, 2025, 10:09pm

I recommend reading the following part of the documentation

It also contains what chains you can change

cocoww · August 13, 2025, 10:52am

Thanks for your reply!

The first time, I had indeed applied the firewall rules while the container was already running

To test your suggestion, I did the following:

Stopped all containers

Removed the associated Docker network

Restarted the container from scratch

Then, I set the ip6tables INPUT policy to DROP

Unfortunately, I still get the same result with IPv6:

bash
Copier
Modifier
curl -6 https://www.xxx

curl: (35) Recv failure: Connection was reset

Meanwhile, IPv4 continues to work fine under the same conditions (iptables INPUT policy set to DROP)

So it seems that Docker does not automatically add ip6tables rules like it does for iptables, even after a clean container/network start

Any idea why this is happening or how to fix it properly for IPv6?

Thanks again!

cocoww · August 13, 2025, 11:01am

(post deleted by author)

bluepuma77 · August 13, 2025, 3:17pm

Use 3 backticks before and after code/config/log (or select and press </>) to make it more readable.

rimelek · August 13, 2025, 3:50pm

I tried to fix your code formatting, but line breaks are missing so I did not start to figure out where line breaks should be one by one.

Please, format your post according to the following guide: How to format your forum posts
In short: please, use </> button to share codes, terminal outputs, error messages or anything that can contain special characters which would be interpreted by the MarkDown filter. Use the preview feature to make sure your text is formatted as you would expect it and check your post after you have sent it so you can still fix it.

Example code block:

```
echo "I am a code."
echo "An athletic one, and I wanna run."
```

After fixing your post, please send a new comment so people are notified about the fixed content.

cocoww · August 15, 2025, 8:31pm

Oh, sorry! Here’s the message properly formatted:

IPV4

Chain INPUT (policy DROP 17524 packets, 1110K bytes)
 pkts bytes target     prot opt in     out     source               destination
21045 1386K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports 61100
 159K   17M ACCEPT     all  --  lo     any     anywhere             anywhere
 226K  228M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   99  5596 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:61100

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
67249   68M DOCKER-USER  all  --  any    any     anywhere             anywhere
67249   68M DOCKER-FORWARD  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 418K packets, 70M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
  190 11352 ACCEPT     tcp  --  !docker_gwbridge docker_gwbridge  anywhere             172.19.0.3           tcp dpt:https
   50  2960 ACCEPT     tcp  --  !docker_gwbridge docker_gwbridge  anywhere             172.19.0.3           tcp dpt:http
    0     0 DROP       all  --  !docker_gwbridge docker_gwbridge  anywhere             anywhere
    0     0 DROP       all  --  !docker0 docker0  anywhere             anywhere

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1745  102K DOCKER     all  --  any    docker_gwbridge  anywhere             anywhere
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination
30878 5967K ACCEPT     all  --  any    docker_gwbridge  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
67249   68M DOCKER-CT  all  --  any    any     anywhere             anywhere
36371   62M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
36371   62M DOCKER-BRIDGE  all  --  any    any     anywhere             anywhere
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  anywhere             anywhere
34626   62M ACCEPT     all  --  docker_gwbridge !docker_gwbridge  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 any     anywhere             anywhere

Chain DOCKER-INGRESS (0 references)
 pkts bytes target     prot opt in     out     source               destination
 2049 7713K RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
34626   62M DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  anywhere             anywhere
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 DROP       all  --  any    docker_gwbridge  anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
20999 1383K RETURN     all  --  any    any     anywhere             anywhere

IPV6

Chain INPUT (policy DROP 3730 packets, 269K bytes)
 pkts bytes target     prot opt in     out     source               destination
   71  182K ACCEPT     all  --  lo     any     anywhere             anywhere
 113K 1687M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:61100

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-FORWARD  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 127K packets, 246M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  !docker0 docker0  anywhere             anywhere

Chain DOCKER-BRIDGE (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere

Chain DOCKER-CT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-CT  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 DOCKER-BRIDGE  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Topic		Replies	Views
DOCKER-USER chain for ip6tables General	14	4269	February 2, 2023
Docker and IPv6 General docker	0	756	January 7, 2021
Docker container unable to curl docker host with ip or dns General docker	0	898	December 30, 2021
Docker and iptables issues General	0	3000	January 29, 2017
Docker failing to create IP table rules Compose	8	992	May 3, 2025

With INPUT set to DROP in both iptables and ip6tables, IPv4 curl works but IPv6 curl doesn’t

IPV4

IPV6

Related topics