Fix docker container internet connection via firewalld under Centos 8

date_range 2020-05-13 05:40:40 access_time 2-minute read

Recently, when I installed centos 8 with the latest docker and containerd.io installed in my server. I found that the default configuration for firewalld blocked all docker container internet connection. And I also tried to install ubuntu 20.04 LTS server with ufw, it still couldn't be right configured. So I went back to CentOS 8 again.

After tried these for a few days, I figured out how to fixed this.

Environment details

OS: CentOS 8.1
Docker version: 19.03.8, build afacb8b
docker-compose version: 1.25.5, build 8a1c60f6

HOW-TO

  • Enable ipv4 forward
    sudo vim /etc/sysctl.conf

Add the following line in this file

    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1

Apply it

    sudo sysctl -p
  • Add firewalld rules
firewall-cmd --permanent --zone=public --add-interface=docker0
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -s 172.17.0.0/16 -j SNAT --to-source 192.168.100.68
firewall-cmd --reload

As we all know that, by default, docker add an network interface in system with name: docker0 and network: 172.17.0.0/16. So when the internet traffic in docker container go outside, all traffic will passthrough docker0. And you should modify the the –to-source config 192.168.100.68 with your own ip address. This ip address is the interface's ip address which can visit internet in your system, it can be a public or private ip address. As shown in my example, because my server is behind router, so the –to-source address is and private address which dhcp-ed by my router.

DONE

All done, please try internet connection in your docker container, it'll be OK

tech centosdockerfirewalldinternet

comments

comments powered by Disqus