docker / kubernetes breaks Proxmox QEMU KVM Bridge VMs
Docker adds iptables rules that break a lot of things including MASQUERADE or anything that needs the FORWARD table. If NAT is not working after Docker installation, it is probably because it set the iptables FORWARD policy to DROP.
This may also make you think that your br0 or bridge is not working, but it's likely just due to what we'll mention later on below, that, Docker probably set your FORWARD chain to default DROP all packets, so nothing on your bridge ever makes it out because of this policy (whereas the normal default is ACCEPT).
If you do an iptables -L you will notice even if you deleted all the Docker chains that the iptables FORWARD policy is enabled and is set to drop, this causes your VMs to not have networking, at least not outside the host machine.
Chain FORWARD (policy DROP)
target prot opt source destination
target prot opt source destination
Here is how to fix everything so Docker and NAT/VMs/bridged stuff can still work:
If your bridge interface is not br0 like below change it (eg. if it's vmbr0 then change it to that).
iptables -A FORWARD -p all -i br0 -j ACCEPT
or for blanket all
iptables --policy FORWARD ACCEPT
Now you'll see it has policy ACCEPT so the VM traffic will work:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
After this everything should now work, otherwise you have other unrelated iptables rules that are blocking or breaking the your network.
Remember you will need to put this in a startup script of some sort to ensure it is still fixed after a reboot.
Another option is to tell docker not to modify iptables
This is not preferable because then all networking must be handled manually and containers will not have internet etc...
Edit /etc/docker/daemon.json:
{
"iptables" : false
}
The below is not necessary unless you really hate Docker and want broken networking:
Delete the Docker chains
iptables -X DOCKER-ISOLATION-STAGE-1
iptables -X DOCKER-ISOLATION-STAGE-2
iptables -X DOCKER
iptables -X DOCKER-USER
What Docker did to our machine with iptables:
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target prot opt source destination
Chain DOCKER-USER (0 references)
target prot opt source destination
root@nfs01:# iptables -X DOCKER
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-1
root@nfs01:# iptables -L^C
root@nfs01:# ping 192.168.11.240^C
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-2
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER-USER (0 references)
target prot opt source destination
root@nfs01:# iptables -X DOCKER-USER
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Tags:
docker, kubernetes, proxmox, qemu, kvm, vmsit, technologies, iptables, deleted, chains, enabled, vms, networking, prot, opt, destination, interface, br, eg, vmbr, delete, isolation, user, nfs, input, output, references, ping,