docker / kubernetes breaks Proxmox QEMU KVM Bridge VMs

Docker adds iptables rules that break a lot of things including MASQUERADE or anything that needs the FORWARD table.  If NAT is not working after Docker installation, it is probably because it set the iptables FORWARD policy to DROP.

This may also make you think that your br0 or bridge is not working, but it's likely just due to what we'll mention later on below, that, Docker probably set your FORWARD chain to default DROP all packets, so nothing on your bridge ever makes it out because of this policy (whereas the normal default is ACCEPT).

If you do an iptables -L you will notice even if you deleted all the Docker chains that the iptables FORWARD policy is enabled and is set to drop, this causes your VMs to not have networking, at least not outside the host machine.

Chain FORWARD (policy DROP)
target     prot opt source               destination         



Here is how to fix everything so Docker and NAT/VMs/bridged stuff can still work:

If your bridge interface is not br0 like below change it (eg. if it's vmbr0 then change it to that).

iptables -A FORWARD -p all -i br0 -j ACCEPT

or for blanket all

iptables --policy FORWARD ACCEPT

Now you'll see it has policy ACCEPT so the VM traffic will work:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

After this everything should now work, otherwise you have other unrelated iptables rules that are blocking or breaking the your network.


 

The below is not necessary unless you really hate Docker and want broken networking:

Delete the Docker chains

iptables  -X DOCKER-ISOLATION-STAGE-1

iptables -X DOCKER-ISOLATION-STAGE-2

iptables -X DOCKER

iptables -X DOCKER-USER

What Docker did to our machine with iptables:

root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (0 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target     prot opt source               destination         

Chain DOCKER-USER (0 references)
target     prot opt source               destination         

 

 

root@nfs01:# iptables  -X DOCKER
root@nfs01:# iptables  -X DOCKER-ISOLATION-STAGE-1
root@nfs01:# iptables -L^C
root@nfs01:# ping 192.168.11.240^C
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-2
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER-USER (0 references)
target     prot opt source               destination         
root@nfs01:# iptables -X DOCKER-USER
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


Tags:

docker, kubernetes, proxmox, qemu, kvm, vmsit, technologies, iptables, deleted, chains, enabled, vms, networking, prot, opt, destination, interface, br, eg, vmbr, delete, isolation, user, nfs, input, output, references, ping,

Latest Articles

  • How To Add Windows 7 8 10 11 to GRUB Boot List Dual Booting
  • How to configure OpenDKIM on Linux with Postfix and setup bind zonefile
  • Debian Ubuntu 10/11/12 Linux how to get tftpd-hpa server setup tutorial
  • efibootmgr: option requires an argument -- 'd' efibootmgr version 15 grub-install.real: error: efibootmgr failed to register the boot entry: Operation not permitted.
  • Apache Error Won't start SSL Cert Issue Solution Unable to configure verify locations for client authentication SSL Library Error: 151441510 error:0906D066:PEM routines:PEM_read_bio:bad end line SSL Library Error: 185090057 error:0B084009:x509 certif
  • Linux Debian Mint Ubuntu Bridge br0 gets random IP
  • redis requirements
  • How to kill a docker swarm
  • docker swarm silly issues
  • isc-dhcp-server dhcpd how to get longer lease
  • nvidia cannot resume from sleep Comm: nvidia-sleep.sh Tainted: Linux Ubuntu Mint Debian
  • zfs and LUKS how to recover in Linux
  • [error] (28)No space left on device: Cannot create SSLMutex Apache Solution Linux CentOS Ubuntu Debian Mint
  • Save money on bandwidth by disabling reflective rpc queries in Linux CentOS RHEL Ubuntu Debian
  • How to access a disk with bad superblock Linux Ubuntu Debian Redhat CentOS ext3 ext4
  • ImageMagick error convert solution - convert-im6.q16: cache resources exhausted
  • PTY allocation request failed on channel 0 solution
  • docker error not supported as upperdir failed to start daemon: error initializing graphdriver: driver not supported
  • Migrated Linux Ubuntu Mint not starting services due to broken /var/run and dbus - Failed to connect to bus: No such file or directory solution
  • qemu-system-x86_64: Initialization of device ide-hd failed: Failed to get