Fixing iptables on a KVM hypervisor after a Docker install
I run a number of KVM hypervisors that provide network to guests using a public bridge (br0
).
The guest domains individually firewall themselves, so I leave the hypervisors’ iptables FORWARD
chain defaulted to ACCEPT
.
This worked well until I installed Docker.
Docker flips the default policy on the FORWARD
chain to DROP
, thereby cutting off network access for all the KVM guests attached to the bridge.
Ouch.
Passing the --iptables=false
flag to the Docker daemon prevents Docker from touching iptables, but that’s inconvenient.
To let Docker have its way while returning unfettered access our KVM guests using br0
:
# iptables -I FORWARD -i br0 -o br0 -j ACCEPT
Remember to persist this rule using, e.g., iptables-save
/iptables-restore
!
#linux #docker #libvirt