Firewalld doesn't go well with Docker
Firewalld is a great project. I't a tool to controll iptables rules (or firewall in short). So basically it's it's just a frontend while
ntftables today) are the backend. And it was made by Red Hat company so it's and open source project (cool right!).
Well while it's popular tool today, it has some issues with a Docker. So if you are like me and have activated firewalled on the same machine where you host containers using Docker - you might have same issue as I had.
When I installed and activated
firewalld I had a problem -- all Docker containers we re not able to connect internet. So any conatiner I tested - I wasn't able to ping
18.104.22.168. I clould acces local network but that was all. Later on when I googled if anyone has same issue as I did - I had found on github very large issue for this problem(and it's still open at this time). See it for you self!
So yeah you running docker and
firewalld and now all containers aren't able to connect to internet (in case you are building custom ones this can be great issue). So how to fix it?
Run these commend in terminal on your host:
# Masquerading allows for docker ingress and egress (this is the juicy bit) firewall-cmd --zone=public --add-masquerade --permanent # Reload firewall to apply permanent rules firewall-cmd --reload
Disabling firewalld seemed to do the trick, but I would prefer not to do that. While inspecting network rules with iptables, I realized that the switch to nftables means that iptables is now an abstraction layer that only shows a small part of the nftables rules. That means most - if not all - of the firewalld configuration will be applied outside the scope of iptables.
Long story short - for this to work you need to enable masquerading. It looked like
dockerd already did this through
iptables, but apparently this needs to be specifically enabled for the firewall zone for
iptables masquerading to work.