The complete process of iptables rules in Docker being lost after iptables restart

Causes and consequences

1. When using the ansible command to test machine B on the jump server, the following error is reported, so it is suspected that the network firewall is the problem

10.10.0.86 | FAILED >> {
 "failed": true, 
 "msg": "/bin/sh: /usr/bin/python: No such file or directory\r\nOpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id: 2\r\nShared connection to 10.10.0.86 closed.\r\n", 
 "parsed": false
}

2. Log in to machine B, which is an online machine running a docker container. From my experience, if there is a problem with the network firewall, just

iptables -F
systemctl stop iptables 
systemctl stop firewalld

3. Then I thought this should not affect the container, so I looked at the container logs. Unexpectedly, more than 10 of them reported errors, and they were all unable to connect. I was a little panicked... I restarted the container, but it didn't start at all. The error was as follows

docker: Error response from daemon: driver failed programming external connectivity on endpoint happy_ptolemy (9cedc114be35eb86cd6f7f7bb4f11f93b5f8d2c0745afc72664cef8e96aad439): iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 10.10.0.86 --dport 3000 -j ACCEPT: iptables: No chain/target/match by that name.

(exit status 1).

4. Solution: restart docker

systemctl restart docker

Knowledge Points

1. The relationship between netfilter and iptables

Netfilter is a firewall framework in the Linux kernel that is used to manage network packets. It not only has the function of Network Address Translation (NAT), but also has firewall functions such as packet content modification and packet filtering. Use the application software iptables in user space to control Netfilter (iptables is just an application software, a tool).

2. The relationship between iptables and firewalld

Firewalld, like iptables, is an application software and a tool, but its underlying layer still passes through iptables first.

3. The relationship between docker, firewalld and iptables

1) After docker is installed, it will automatically take over iptables or firewalld. When docker is run, it will automatically add rules to iptables. Therefore, when iptables is restarted, it will be lost and can only be fixed by restarting docker.

2) When using Systemd, firewalld will start before Docker, but if you start or restart firewalld after Docker is started, you will need to restart the Docker process.

Summarize

1. Reverence for the production environment

2. Lack of thorough understanding of knowledge points, not knowing which scenarios can be used and which scenarios cannot be used

3. Later, you need to further understand the firewall rules

This is the end of this article about iptables rules in Docker lost after iptables restart. For more information about iptables rules in Docker lost after restart, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!