After hours of searching and trying solutions I am at an end.
When I start a Docker container on a Centos7 machine, this is what happens:
- Cannot communicate via TCP (e.g. run
apt update). ping works fine. - Switching network mode to
--net=hostfixes the issue, but I want to use the defaultbridge - I added
net.ipv4.ip_forward=1to/etc/sysctl.conf - Container is registered in the bridge network seen via
docker network inspect bridge - DNS is configured properly, pinging hostnames works as well as addresses.
Further info
Running apt update shows messages such as:
Ign http://security.debian.org jessie/updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]
iptables configuration:
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:http /* HTTP-IN */
tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN /* HTTP-SYN */
tcp -- anywhere anywhere tcp dpt:https /* HTTPS-IN */
tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN /* HTTPS-SYN */
ACCEPT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh match-set avast_internal src
ACCEPT udp -- anywhere anywhere udp dpt:snmp match-set avast_internal src
ACCEPT tcp -- anywhere anywhere tcp match-set avast_internal src
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
tcp -- anywhere anywhere tcp spt:http /* HTTP-OUT */
tcp -- anywhere anywhere tcp spt:https /* HTTPS-OUT */
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
What could be the cause of this?
Edit:
After opening the firewall using these commands I was able to connect to the internet from the docker container:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
However, after resetting the rules to find out which exactly caused the problem, I am unable to get it back to a working state, even after clearing all iptables rules and restarting docker daemon.
Edit 2:
Turns out there were some rules in the raw table as well, which I did not see before. The following rule was blocking Docker containers from the internet:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CT tcp -- anywhere anywhere NOTRACK
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 走好不送 的文章《Docker container cannot access internet, only ping》','https://www.manongdao.com/article-731134.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}