sys admin

Firewalld doesn't go well with Docker

Ales Lerch
Ales Lerch
- 1 min read

Firewalld is a great project. I't a tool to controll iptables rules (or firewall in short). So basically it's it's just a frontend while iptables (or ntftables today) are the backend. And it was made by Red Hat company so it's and open source project (cool right!).

Well while it's popular tool today, it has some issues with a Docker. So if you are like me and have activated firewalled on the same machine where you host containers using Docker - you might have same issue as I had.

When I installed and activated firewalld I had a problem -- all Docker containers we re not able to connect internet. So any conatiner I tested - I wasn't able to ping I clould acces local network but that was all. Later on when I googled if anyone has same issue as I did - I had found on github very large issue for this problem(and it's still open at this time). See it for you self!

So yeah you running docker and firewalld and now all containers aren't able to connect to internet (in case you are building custom ones this can be great issue). So how to fix it?  

Run these commend in terminal on your host:

# Masquerading allows for docker ingress and egress (this is the juicy bit)
firewall-cmd --zone=public --add-masquerade --permanent

# Reload firewall to apply permanent rules
firewall-cmd --reload

Disabling firewalld seemed to do the trick, but I would prefer not to do that. While inspecting network rules with iptables, I realized that the switch to nftables means that iptables is now an abstraction layer that only shows a small part of the nftables rules. That means most - if not all - of the firewalld configuration will be applied outside the scope of iptables.

Long story short - for this to work you need to enable masquerading. It looked like dockerd already did this through iptables, but apparently this needs to be specifically enabled for the firewall zone for iptables masquerading to work.