Home / server / Questions / 1005648
Accepted
KeepLearning
Asked: 2020-03-05 20:21:36 +0800 CST

Docker changes IPtables FORWARD policy to DROP

  • 772

I've got OpenVPN on Amazon Linux 2 EC2 instance and need to forward packets through it. It works until I start docker on the instance. Then the FORWARD policy turns to DROP and VPN stops working.

[root@ip-... ~]# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)                             <<< See it's ACCEPT
target     prot opt source               destination

Then I start docker and check again:

[root@ip-... ~]# systemctl start docker

[root@ip-... ~]# iptables -L
Chain FORWARD (policy DROP)                               <<<< Turned to DROP
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere

I tried to set the policy in /etc/sysconfig/iptables but that doesn't help.

This seems specific to Amazon Linux 2, I don't seem to have this problem on Ubuntu.

Any ideas?

iptables amazon-web-services amazon-linux

1 Answers

  1. Best Answer

    It's a known behaviour, documented here: Docker on a router

    The solution is to add an ACCEPT rule into DOCKER-USER chain:

    ~ # iptables -I DOCKER-USER -j ACCEPT

    To make this change permanent you can put it to /etc/sysconfig/iptables:

    *filter
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ACCEPT
COMMIT

    This will pre-create the ACCEPT rule and when docker starts and changes the FORWARD policy to DENY the packet forwarding will still work.

    Hope that helps :)

    • 5