Tag Archives: #firewalld

Docker behind firewalld

Running Docker containers behind a firewalld can be a routing nightmare. I had to use CentOS 7 docker images on a customised CentOS 7 host, and the situation turned into an incompatibility fest pretty soon after I figured out the followng:

  • CentOS host came with no firewall, and systemctl listed dbus-org.fedoraproject.FirewallD1.service,
  • Dockerised CentOS containers have no systemd,
  • Docker’s internal routing isn’t exactly the shiniest piece of documentation on Docker,
  • IPTables-services and firewalld shouldn’t work simultaneously, and usage of IPTables-services is strongly discouraged on new hats, in favour of new the interface – firewalld,
  • Docker’s daemon uses own interface to write to Netfilter, that can be clearly visible by an “iptables -L” inspection,
  • Docker (apparently) creates random RFC1918 addresses for new containers,
  • Docker assigns two IPs for each container regardless of the third IP you might call for on the command line during “docker run…”.

Fun, eh?

After a trillion of attempts, here is the most sane and simple solution I have come by for now: Continue reading