bug?

Nathanael D. Noblet Fri, 14 Oct 2016 14:09:58 -0700

On Thu, 2016-10-06 at 14:02 -0500, Dan Williams wrote:
> 
> Try running 'iptables-save' before you start docker, and then running
> 'iptables-save' after.  Diff the results.  Did docker remove
> anything?


Hello,

  So this seems to be the source of the problem but I'm a little out of
my depth to all its doing.

So I've attached three files

[1] iptables.onBoot (which is iptables after a clean boot)
[2] iptables.afterDockerService (which is iptables after systemctl
start docker)
[3] iptables.diff ( the difference between the two files where I've
removed differences that don't matter like packet counts etc).

So this seems like docker doesn't play well with libvirtd? Should I be
filing a bug on docker? Or is this just a mis-configuration on my part?
I don't think I've changed either libvirtd/qemu or docker's default
configuration. Other than my VMs all attach to bridge0 instead of using
NAT.

I'll start looking up what the -m addrtype --dst-type LOCAL does and
all the docker related rules that are added but I'm really not sure
what's going on. Particularly since VMs that are running and network
connected when before I run a docker container continue to be. Only VMs
brought up after that aren't. Also at a minimum if I stop the docker
service I would expect these rules to go away which they don't. For
example after systemctl stop docker I still have docker0 bridge
interface up and 

[gnat@iridium ~]$ sudo iptables -L -n | grep DOCKER
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)

still shows the chains are in place...

# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
*nat
:PREROUTING ACCEPT [25:1604]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [126:9336]
:POSTROUTING ACCEPT [126:9336]
:DOCKER - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_FedoraWorkstation - [0:0]
:POST_FedoraWorkstation_allow - [0:0]
:POST_FedoraWorkstation_deny - [0:0]
:POST_FedoraWorkstation_log - [0:0]
:POST_dmz - [0:0]
:POST_dmz_allow - [0:0]
:POST_dmz_deny - [0:0]
:POST_dmz_log - [0:0]
:POST_trusted - [0:0]
:POST_trusted_allow - [0:0]
:POST_trusted_deny - [0:0]
:POST_trusted_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE 
--to-ports 1024-65535
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p udp -j MASQUERADE 
--to-ports 1024-65535
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A DOCKER -i docker0 -j RETURN
-A POSTROUTING_ZONES -o em1 -g POST_dmz
-A POSTROUTING_ZONES -o bridge0 -g POST_dmz
-A POSTROUTING_ZONES -o virbr0 -j POST_trusted
-A POSTROUTING_ZONES -o virbr0-nic -j POST_trusted
-A POSTROUTING_ZONES -g POST_FedoraWorkstation
-A POSTROUTING_ZONES_SOURCE -d 192.168.121.0/24 -g POST_dmz
-A POSTROUTING_ZONES_SOURCE -d 192.168.4.0/24 -g POST_dmz
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_log
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_deny
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_allow
-A POST_dmz -j POST_dmz_log
-A POST_dmz -j POST_dmz_deny
-A POST_dmz -j POST_dmz_allow
-A POST_trusted -j POST_trusted_log
-A POST_trusted -j POST_trusted_deny
-A POST_trusted -j POST_trusted_allow
-A PREROUTING_ZONES -i em1 -g PRE_dmz
-A PREROUTING_ZONES -i bridge0 -g PRE_dmz
-A PREROUTING_ZONES -i virbr0 -j PRE_trusted
-A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
-A PREROUTING_ZONES -g PRE_FedoraWorkstation
-A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
-A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Fri Oct 14 14:49:48 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
*security
:INPUT ACCEPT [13216:6582247]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12390:2830935]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 14 14:49:48 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
*raw
:PREROUTING ACCEPT [13256:6585647]
:OUTPUT ACCEPT [12390:2830935]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 14 14:49:48 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
*mangle
:PREROUTING ACCEPT [13256:6585647]
:INPUT ACCEPT [13221:6583355]
:FORWARD ACCEPT [27:1814]
:OUTPUT ACCEPT [12390:2830935]
:POSTROUTING ACCEPT [12515:2849689]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i em1 -g PRE_dmz
-A PREROUTING_ZONES -i bridge0 -g PRE_dmz
-A PREROUTING_ZONES -i virbr0 -j PRE_trusted
-A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
-A PREROUTING_ZONES -g PRE_FedoraWorkstation
-A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
-A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Fri Oct 14 14:49:48 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4353:1246826]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_FedoraWorkstation - [0:0]
:FWDI_FedoraWorkstation_allow - [0:0]
:FWDI_FedoraWorkstation_deny - [0:0]
:FWDI_FedoraWorkstation_log - [0:0]
:FWDI_dmz - [0:0]
:FWDI_dmz_allow - [0:0]
:FWDI_dmz_deny - [0:0]
:FWDI_dmz_log - [0:0]
:FWDI_trusted - [0:0]
:FWDI_trusted_allow - [0:0]
:FWDI_trusted_deny - [0:0]
:FWDI_trusted_log - [0:0]
:FWDO_FedoraWorkstation - [0:0]
:FWDO_FedoraWorkstation_allow - [0:0]
:FWDO_FedoraWorkstation_deny - [0:0]
:FWDO_FedoraWorkstation_log - [0:0]
:FWDO_dmz - [0:0]
:FWDO_dmz_allow - [0:0]
:FWDO_dmz_deny - [0:0]
:FWDO_dmz_log - [0:0]
:FWDO_trusted - [0:0]
:FWDO_trusted_allow - [0:0]
:FWDO_trusted_deny - [0:0]
:FWDO_trusted_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_FedoraWorkstation - [0:0]
:IN_FedoraWorkstation_allow - [0:0]
:IN_FedoraWorkstation_deny - [0:0]
:IN_FedoraWorkstation_log - [0:0]
:IN_dmz - [0:0]
:IN_dmz_allow - [0:0]
:IN_dmz_deny - [0:0]
:IN_dmz_log - [0:0]
:IN_trusted - [0:0]
:IN_trusted_allow - [0:0]
:IN_trusted_deny - [0:0]
:IN_trusted_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION -j RETURN
-A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
-A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
-A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted
-A FORWARD_IN_ZONES -i virbr0-nic -j FWDI_trusted
-A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
-A FORWARD_IN_ZONES_SOURCE -s 192.168.121.0/24 -g FWDI_dmz
-A FORWARD_IN_ZONES_SOURCE -s 192.168.4.0/24 -g FWDI_dmz
-A FORWARD_OUT_ZONES -o em1 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o bridge0 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o virbr0 -j FWDO_trusted
-A FORWARD_OUT_ZONES -o virbr0-nic -j FWDO_trusted
-A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.121.0/24 -g FWDO_dmz
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.4.0/24 -g FWDO_dmz
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
-A FWDI_FedoraWorkstation -p icmp -j ACCEPT
-A FWDI_dmz -j FWDI_dmz_log
-A FWDI_dmz -j FWDI_dmz_deny
-A FWDI_dmz -j FWDI_dmz_allow
-A FWDI_dmz -p icmp -j ACCEPT
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
-A FWDO_dmz -j FWDO_dmz_log
-A FWDO_dmz -j FWDO_dmz_deny
-A FWDO_dmz -j FWDO_dmz_allow
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i em1 -g IN_dmz
-A INPUT_ZONES -i bridge0 -g IN_dmz
-A INPUT_ZONES -i virbr0 -j IN_trusted
-A INPUT_ZONES -i virbr0-nic -j IN_trusted
-A INPUT_ZONES -g IN_FedoraWorkstation
-A INPUT_ZONES_SOURCE -s 192.168.121.0/24 -g IN_dmz
-A INPUT_ZONES_SOURCE -s 192.168.4.0/24 -g IN_dmz
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
-A IN_FedoraWorkstation -p icmp -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 111 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz -j IN_dmz_log
-A IN_dmz -j IN_dmz_deny
-A IN_dmz -j IN_dmz_allow
-A IN_dmz -p icmp -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 5500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 6881:6890 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9091 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 111 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 111 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 5001 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9000 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 2049 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j 
ACCEPT
COMMIT
# Completed on Fri Oct 14 14:49:48 2016

# Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
*nat
:PREROUTING ACCEPT [2:433]
:INPUT ACCEPT [1:105]
:OUTPUT ACCEPT [235:15814]
:POSTROUTING ACCEPT [234:15619]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_FedoraWorkstation - [0:0]
:POST_FedoraWorkstation_allow - [0:0]
:POST_FedoraWorkstation_deny - [0:0]
:POST_FedoraWorkstation_log - [0:0]
:POST_dmz - [0:0]
:POST_dmz_allow - [0:0]
:POST_dmz_deny - [0:0]
:POST_dmz_log - [0:0]
:POST_trusted - [0:0]
:POST_trusted_allow - [0:0]
:POST_trusted_deny - [0:0]
:POST_trusted_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE 
--to-ports 1024-65535
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p udp -j MASQUERADE 
--to-ports 1024-65535
-A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o em1 -g POST_dmz
-A POSTROUTING_ZONES -o bridge0 -g POST_dmz
-A POSTROUTING_ZONES -o virbr0 -j POST_trusted
-A POSTROUTING_ZONES -o virbr0-nic -j POST_trusted
-A POSTROUTING_ZONES -g POST_FedoraWorkstation
-A POSTROUTING_ZONES_SOURCE -d 192.168.121.0/24 -g POST_dmz
-A POSTROUTING_ZONES_SOURCE -d 192.168.4.0/24 -g POST_dmz
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_log
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_deny
-A POST_FedoraWorkstation -j POST_FedoraWorkstation_allow
-A POST_dmz -j POST_dmz_log
-A POST_dmz -j POST_dmz_deny
-A POST_dmz -j POST_dmz_allow
-A POST_trusted -j POST_trusted_log
-A POST_trusted -j POST_trusted_deny
-A POST_trusted -j POST_trusted_allow
-A PREROUTING_ZONES -i em1 -g PRE_dmz
-A PREROUTING_ZONES -i bridge0 -g PRE_dmz
-A PREROUTING_ZONES -i virbr0 -j PRE_trusted
-A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
-A PREROUTING_ZONES -g PRE_FedoraWorkstation
-A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
-A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Fri Oct 14 14:47:44 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
*security
:INPUT ACCEPT [1923:1481804]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1848:237711]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 14 14:47:44 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
*raw
:PREROUTING ACCEPT [1931:1482877]
:OUTPUT ACCEPT [1848:237711]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 14 14:47:44 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
*mangle
:PREROUTING ACCEPT [1931:1482877]
:INPUT ACCEPT [1926:1482389]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1848:237711]
:POSTROUTING ACCEPT [1912:246559]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_FedoraWorkstation - [0:0]
:PRE_FedoraWorkstation_allow - [0:0]
:PRE_FedoraWorkstation_deny - [0:0]
:PRE_FedoraWorkstation_log - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i em1 -g PRE_dmz
-A PREROUTING_ZONES -i bridge0 -g PRE_dmz
-A PREROUTING_ZONES -i virbr0 -j PRE_trusted
-A PREROUTING_ZONES -i virbr0-nic -j PRE_trusted
-A PREROUTING_ZONES -g PRE_FedoraWorkstation
-A PREROUTING_ZONES_SOURCE -s 192.168.121.0/24 -g PRE_dmz
-A PREROUTING_ZONES_SOURCE -s 192.168.4.0/24 -g PRE_dmz
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Fri Oct 14 14:47:44 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:47:44 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1848:237711]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_FedoraWorkstation - [0:0]
:FWDI_FedoraWorkstation_allow - [0:0]
:FWDI_FedoraWorkstation_deny - [0:0]
:FWDI_FedoraWorkstation_log - [0:0]
:FWDI_dmz - [0:0]
:FWDI_dmz_allow - [0:0]
:FWDI_dmz_deny - [0:0]
:FWDI_dmz_log - [0:0]
:FWDI_trusted - [0:0]
:FWDI_trusted_allow - [0:0]
:FWDI_trusted_deny - [0:0]
:FWDI_trusted_log - [0:0]
:FWDO_FedoraWorkstation - [0:0]
:FWDO_FedoraWorkstation_allow - [0:0]
:FWDO_FedoraWorkstation_deny - [0:0]
:FWDO_FedoraWorkstation_log - [0:0]
:FWDO_dmz - [0:0]
:FWDO_dmz_allow - [0:0]
:FWDO_dmz_deny - [0:0]
:FWDO_dmz_log - [0:0]
:FWDO_trusted - [0:0]
:FWDO_trusted_allow - [0:0]
:FWDO_trusted_deny - [0:0]
:FWDO_trusted_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_FedoraWorkstation - [0:0]
:IN_FedoraWorkstation_allow - [0:0]
:IN_FedoraWorkstation_deny - [0:0]
:IN_FedoraWorkstation_log - [0:0]
:IN_dmz - [0:0]
:IN_dmz_allow - [0:0]
:IN_dmz_deny - [0:0]
:IN_dmz_log - [0:0]
:IN_trusted - [0:0]
:IN_trusted_allow - [0:0]
:IN_trusted_deny - [0:0]
:IN_trusted_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
-A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
-A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted
-A FORWARD_IN_ZONES -i virbr0-nic -j FWDI_trusted
-A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
-A FORWARD_IN_ZONES_SOURCE -s 192.168.121.0/24 -g FWDI_dmz
-A FORWARD_IN_ZONES_SOURCE -s 192.168.4.0/24 -g FWDI_dmz
-A FORWARD_OUT_ZONES -o em1 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o bridge0 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o virbr0 -j FWDO_trusted
-A FORWARD_OUT_ZONES -o virbr0-nic -j FWDO_trusted
-A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.121.0/24 -g FWDO_dmz
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.4.0/24 -g FWDO_dmz
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
-A FWDI_FedoraWorkstation -p icmp -j ACCEPT
-A FWDI_dmz -j FWDI_dmz_log
-A FWDI_dmz -j FWDI_dmz_deny
-A FWDI_dmz -j FWDI_dmz_allow
-A FWDI_dmz -p icmp -j ACCEPT
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
-A FWDO_dmz -j FWDO_dmz_log
-A FWDO_dmz -j FWDO_dmz_deny
-A FWDO_dmz -j FWDO_dmz_allow
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i em1 -g IN_dmz
-A INPUT_ZONES -i bridge0 -g IN_dmz
-A INPUT_ZONES -i virbr0 -j IN_trusted
-A INPUT_ZONES -i virbr0-nic -j IN_trusted
-A INPUT_ZONES -g IN_FedoraWorkstation
-A INPUT_ZONES_SOURCE -s 192.168.121.0/24 -g IN_dmz
-A INPUT_ZONES_SOURCE -s 192.168.4.0/24 -g IN_dmz
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
-A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
-A IN_FedoraWorkstation -p icmp -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 111 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate 
NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz -j IN_dmz_log
-A IN_dmz -j IN_dmz_deny
-A IN_dmz -j IN_dmz_allow
-A IN_dmz -p icmp -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 5500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 6881:6890 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9091 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 20048 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 111 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p udp -m udp --dport 111 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 5001 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 9000 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_dmz_allow -s 192.168.4.0/24 -p tcp -m tcp --dport 2049 -m conntrack 
--ctstate NEW -j ACCEPT
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j 
ACCEPT
-A IN_trusted_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j 
ACCEPT
COMMIT
# Completed on Fri Oct 14 14:47:44 2016

--- iptables.onBoot	2016-10-14 14:47:44.481693854 -0600
+++ iptables.afterDockerService	2016-10-14 14:49:48.717627103 -0600
@@ -38,7 +39,10 @@
 -A PREROUTING -j PREROUTING_direct
 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 -A PREROUTING -j PREROUTING_ZONES
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT -j OUTPUT_direct
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
 -A POSTROUTING -s 192.168.121.0/24 -d 224.0.0.0/24 -j RETURN
 -A POSTROUTING -s 192.168.121.0/24 -d 255.255.255.255/32 -j RETURN
 -A POSTROUTING -s 192.168.121.0/24 ! -d 192.168.121.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
@@ -47,6 +51,7 @@
 -A POSTROUTING -j POSTROUTING_direct
 -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
 -A POSTROUTING -j POSTROUTING_ZONES
+-A DOCKER -i docker0 -j RETURN
 -A POSTROUTING_ZONES -o em1 -g POST_dmz
 -A POSTROUTING_ZONES -o bridge0 -g POST_dmz
 -A POSTROUTING_ZONES -o virbr0 -j POST_trusted
@@ -155,12 +160,14 @@
# Completed on Fri Oct 14 14:49:48 2016
# Generated by iptables-save v1.6.0 on Fri Oct 14 14:49:48 2016
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1848:237711]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION - [0:0]
 :FORWARD_IN_ZONES - [0:0]
 :FORWARD_IN_ZONES_SOURCE - [0:0]
 :FORWARD_OUT_ZONES - [0:0]
@@ -217,6 +224,11 @@
 -A INPUT -j INPUT_ZONES
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j DOCKER-ISOLATION
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
 -A FORWARD -d 192.168.121.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -s 192.168.121.0/24 -i virbr0 -j ACCEPT
 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
@@ -233,6 +245,7 @@
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
 -A OUTPUT -j OUTPUT_direct
+-A DOCKER-ISOLATION -j RETURN
 -A FORWARD_IN_ZONES -i em1 -g FWDI_dmz
 -A FORWARD_IN_ZONES -i bridge0 -g FWDI_dmz
 -A FORWARD_IN_ZONES -i virbr0 -j FWDI_trusted

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Docker/Libvirt networking issue / bug?

Reply via email to