Anteru's blog
  • Consulting
  • Research
    • Assisted environment probe placement
    • Assisted texture assignment
    • Edge-Friend: Fast and Deterministic Catmull-Clark Subdivision Surfaces
    • Error Metrics for Smart Image Refinement
    • High-Quality Shadows for Streaming Terrain Rendering
    • Hybrid Sample-based Surface Rendering
    • Interactive rendering of Giga-Particle Fluid Simulations
    • Quantitative Analysis of Voxel Raytracing Acceleration Structures
    • Real-time Hybrid Hair Rendering
    • Real-Time Procedural Generation with GPU Work Graphs
    • Scalable rendering for very large meshes
    • Spatiotemporal Variance-Guided Filtering for Motion Blur
    • Subpixel Reconstruction Antialiasing
    • Tiled light trees
    • Towards Practical Meshlet Compression
  • About
  • Archive

Docker, KVM and iptables

September 09, 2017
  • Server
approximately 2 minutes to read

A quick blog post as I’ve been recently setting up a server with KVM and docker. If you’re using a bridge interface to have your VMs talk to your network, you might notice that after a docker installation, your VMs have suddenly no connection. So what is going on?

It turns out, docker adds a bunch of iptables rules by default which prevent communication. These will interfere with an already existing bridge, and suddenly your VMs will report no network. There are two ways to solve it:

  • Add a new rule for your bridge.
  • Stop docker from adding iptables rules.

I’m assuming Ubuntu 17.04 for the commands below; they should be similar on any Debian based system.

Solution 1: Add a new rule

In my case, my bridge is called br0. docker changes the default for FORWARD from accept to drop, and adds a few exceptions for itself. Adding a new forward rule for br0 will allow your bridge (and the devices) behind it to get back into your network and not get dropped:

iptables -A FORWARD -i br0 -o br0 -j ACCEPT

Unfortunately, this won’t be persistent – you’ll need the iptables-persistent package on Linux to make it persistent, plus some extra setup. It’s good for a quick test though! (Source)

Solution 2: Stop docker

In my case, the server is not on the public internet, and I’ve got no need for the extra security. It turns out that the docker service adds the rules on startup, unless --iptables=false is used. This can be either added to the default docker configuration, or, slightly cleaner in my opinion, to the daemon.json configuration file (see the documentation for all options). Create a file /etc/docker/daemon.json with the following contents:

{
    "iptables" : false
}

That’ll stop docker from adding new rules, and everything will work as it did before.

Previous post
Next post

Recent posts

  • Data formats: Why CSV and JSON aren't the best
    Posted on 2024-12-29
  • Replacing cron with systemd-timers
    Posted on 2024-04-21
  • Open Source Maintenance
    Posted on 2024-04-02
  • Angular, Caddy, Gunicorn and Django
    Posted on 2023-10-21
  • Effective meetings
    Posted on 2022-09-12
  • Older posts

Find me on the web

  • GitHub
  • GPU database
  • Projects

Follow me

Anteru NIV_Anteru
Contents © 2005-2025
Anteru
Imprint/Impressum
Privacy policy/Datenschutz
Made with Liara
Last updated February 19, 2019