Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
firewall-cmd --reload on centos 7.4.1708 removes the DOCKER-USER iptables chain #35043
firewall-cmd --reload on centos 7.4.1708 removes the DOCKER-USER iptables chain.
Steps to reproduce the issue:
Describe the results you received:
DOCKER-USER chain has disappeared.
Describe the results you expected:
DOCKER-USER chain shouldn't have disappeared.
Additional information you deem important (e.g. issue happens only occasionally):
I entered this bug report to CentOS bug tracker at https://bugs.centos.org/view.php?id=13879
Additional environment details (AWS, VirtualBox, physical, etc.):
Yes this happens to me too on
it would be very nice if there would be a
I also have been hunt this down for a while and here is what seems to be working for me:
TLDR first; If you add the DOCKER-USER chain to firewalld so that it is present in iptables before docker starts then you should be able to apply rules.
Longer story; Firewalld and Docker both use iptables to route traffic. Firewalld always flushes iptables rules and only reinstates rules that have been configured with firewalld. Docker, when it starts, adds a number of chains to the iptables that can possibly conflict with your rules. However, Docker does respect a special "DOCKER-USER" chain that you can configure to filter traffic. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it. However, if the DOCKER-USER chain already exists, it will not do anything to it (except add an "ACCEPT ALL rule" to the END of the chain (which won't do anything if you configure the previous rules in the chain cover all traffic cases).
Here is a sequence of commands I have used over and over again to get my firewalld settings correct. My goal was to only allow traffic to http and https from a few ip addresses: