paulgorman.org

Fixing iptables on a KVM hypervisor after a Docker install

I run a number of KVM hypervisors that provide network to guests using a public bridge (br0). The guest domains individually firewall themselves, so I leave the hypervisors’ iptables FORWARD chain defaulted to ACCEPT.

This worked well until I installed Docker. Docker flips the default policy on the FORWARD chain to DROP, thereby cutting off network access for all the KVM guests attached to the bridge. Ouch.

Passing the --iptables=false flag to the Docker daemon prevents Docker from touching iptables, but that’s inconvenient. To let Docker have its way while returning unfettered access our KVM guests using br0:

#  iptables -I FORWARD -i br0 -o br0 -j ACCEPT

Remember to persist this rule using, e.g., iptables-save/iptables-restore!

#linux #docker #libvirt

⬅ Older Post Newer Post ➡