docker / kubernetes breaks Proxmox QEMU KVM Bridge VMs

Docker adds iptables rules that break a lot of things including MASQUERADE or anything that needs the FORWARD table. If NAT is not working after Docker installation, it is probably because it set the iptables FORWARD policy to DROP.

This may also make you think that your br0 or bridge is not working, but it's likely just due to what we'll mention later on below, that, Docker probably set your FORWARD chain to default DROP all packets, so nothing on your bridge ever makes it out because of this policy (whereas the normal default is ACCEPT).

If you do an iptables -L you will notice even if you deleted all the Docker chains that the iptables FORWARD policy is enabled and is set to drop, this causes your VMs to not have networking, at least not outside the host machine.

`Chain FORWARD (policy DROP) target prot opt source destination`

Here is how to fix everything so Docker and NAT/VMs/bridged stuff can still work:

If your bridge interface is not br0 like below change it (eg. if it's vmbr0 then change it to that).

iptables -A FORWARD -p all -i br0 -j ACCEPT

or for blanket all

iptables --policy FORWARD ACCEPT

Now you'll see it has policy ACCEPT so the VM traffic will work:

Chain FORWARD (policy ACCEPT) target prot opt source destination
After this everything should now work, otherwise you have other unrelated iptables rules that are blocking or breaking the your network.

Remember you will need to put this in a startup script of some sort to ensure it is still fixed after a reboot.

Another option is to tell docker not to modify iptables

This is not preferable because then all networking must be handled manually and containers will not have internet etc...

Edit /etc/docker/daemon.json:

{

"iptables" : false }

The below is not necessary unless you really hate Docker and want broken networking:

Delete the Docker chains

iptables -X DOCKER-ISOLATION-STAGE-1

iptables -X DOCKER-ISOLATION-STAGE-2

iptables -X DOCKER

iptables -X DOCKER-USER

What Docker did to our machine with iptables:

root@nfs01:# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (0 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (0 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-2 (0 references) target prot opt source destination Chain DOCKER-USER (0 references) target prot opt source destination

root@nfs01:# iptables -X DOCKER
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-1
root@nfs01:# iptables -L^C
root@nfs01:# ping 192.168.11.240^C
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-2
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination
root@nfs01:# iptables -X DOCKER-USER
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination