Fixing iptables on a KVM hypervisor after a Docker install
I run a number of KVM hypervisors that provide network to guests using a public bridge (br0).
The guest domains individually firewall themselves, so I leave the hypervisors’ iptables FORWARD chain defaulted to ACCEPT.
This worked well until I installed Docker.
Docker flips the default policy on the FORWARD chain to DROP, thereby cutting off network access for all the KVM guests attached to the bridge.
Ouch.
Passing the --iptables=false flag to the Docker daemon prevents Docker from touching iptables, but that’s inconvenient.
To let Docker have its way while returning unfettered access our KVM guests using br0:
# iptables -I FORWARD -i br0 -o br0 -j ACCEPT
Remember to persist this rule using, e.g., iptables-save/iptables-restore!
#linux #docker #libvirt