Timeout when connect to forwarded port from another machine in the same LAN

[ccll]

Issue Description

I'm new to podman and trying to use it to replace docker.

I've started a simple HTTP server using podman on machine A, expose the port to "0.0.0.0:8080", and I can access the service fine from the localhost, with both 127.0.0.1 and 10.66.66.10 (the LAN IP of machine A).

But from machine B (10.66.66.8) and machine C (10.66.66.4), the access would stuck and timeout eventually.
B and C can ping A and SSH to A without problem.

There are no firewalls installed on both machines and in the LAN, the same setup works in docker, so I guess it's not a hardware problem.

Steps to reproduce the issue

Steps to reproduce the issue

1. (machine A) podman run --name echo -p 5678:5678 hashicorp/http-echo -text="hello world"
2. (machine A) curl localhost:5678 and curl 10.66.66.10:5678 prints hello, world
3. (machine B) curl 10.66.66.10:5678 and telnet 10.66.66.10 5678
4. (machine C) curl 10.66.66.10:5678 and telnet 10.66.66.10 5678

Describe the results you received

Connection to 10.66.66.10:5678 stuck and timeout from other machines.

Describe the results you expected

Should get response hello world.

podman info output

The podman binaries I used is from here:
https://github.com/mgoltzsche/podman-static

host:
  arch: amd64
  buildahVersion: 1.41.4
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/lib/podman/conmon
    version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b'
  cpuUtilization:
    idlePercent: 98.69
    systemPercent: 0.68
    userPercent: 0.63
  cpus: 32
  databaseBackend: boltdb
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: file
  freeLocks: 2045
  hostname: ml-1
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.15.0-130-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 128785346560
  memTotal: 134925430784
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /usr/local/lib/podman/aardvark-dns
      version: aardvark-dns 1.16.0
    package: Unknown
    path: /usr/local/lib/podman/netavark
    version: netavark 1.16.1
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.23.1
      commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/local/bin/pasta
    package: Unknown
    version: |
      pasta 2025_08_05.309eefd
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.0.1-2_amd64
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 0
  swapTotal: 0
  uptime: 1h 31m 51.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.ignore_chown_errors: "true"
    overlay.mount_program:
      Executable: /usr/local/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.15
        fusermount3 version: 3.10.5
        FUSE library version 3.16.2
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1966736678912
  graphRootUsed: 1195891933184
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.6.1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.25.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.6.1

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

Running on a bare-metal server.

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

Are you running podman as root? And do you have docker running at the same time? Docker messes with the firewall by default to block all other traffic. https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault#Known_Issue_with_docker

So please check your iptables/nftables rules on the system

[ccll]

@Luap99 Yes! Exactly! Thanks so much for the quick reply.

After removing docker entirely and make the iptables clean, the network works fine.
Closing as this is not a bug.