Linux Docker compose container cannot ping another bridged Docker container

Question

Overview

I need a Docker Compose zabbix host to ping a host on a containerlab docker network.

These two Docker networks run under a linux Docker host machine as below... This information comes from docker network inspect <statics|zabbix6_statics>...

Name	Driver	Subnet	GW	Internal
statics	bridge	192.0.2.0/24	None	false
zabbix6_statics	bridge	172.25.0.0/16	172.25.0.1	false

My Docker host can ping a statics Docker container at 192.0.2.2; however, one of my Docker compose containers on zabbix6_statics cannot ping that same statics container at 192.0.2.2.

My problem is I am not sure how to control the GW setup for the statics Docker network, it is automatically built by containerlab.

Docker host external interface, routing table and routing configuration:

$ ip addr show ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:a7:82:54 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 10.100.50.5/28 brd 10.100.50.15 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fea7:8254/64 scope link
       valid_lft forever preferred_lft forever
$
$ ip route show
default via 10.100.50.1 dev ens160 proto static
10.100.50.0/28 dev ens160 proto kernel scope link src 10.100.50.5
172.25.0.0/16 dev br-2f0c8e39d468 proto kernel scope link src 172.25.0.1
192.0.2.0/24 dev br-3b7a04204493 proto kernel scope link src 192.0.2.1
$
$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
$

Docker host iptables -L...

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (6 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.25.0.3           tcp dpt:zabbix-trapper
ACCEPT     tcp  --  anywhere             172.25.0.4           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* set by containerlab */
RETURN     all  --  anywhere             anywhere
$

iptables drops... the line with 573K drops (below) sure looks like it could be a problem, but I don't know how to remove this line.

br-2f0c8e39d468 is the Docker Compose Zabbix bridge network.

$ sudo iptables -L -v -n | grep DROP
Chain FORWARD (policy DROP 1 packets, 48 bytes)
 5887  573K DROP       all  --  *      br-2f0c8e39d468  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-3b7a04204493  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-9c380974ca10  0.0.0.0/0            0.0.0.0/0
  128 19232 DROP       all  --  *      br-8852215d128f  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-9eb46ec5c23e  0.0.0.0/0            0.0.0.0/0
$

I think the iptables rule applied automatically by the Docker Compose yaml is part of the problem (see below).

Problem

From a Docker Compose Zabbix container on 172.25.0.0/16, I can ping 192.0.2.1 (the linux bridge ip address for Docker network 192.0.2.0/24), but I cannot ping the containerlab Docker container at 192.0.2.2.

The zabbix web gui can accessed from the Docker host via http://10.100.50.5:9000. The Docker host ip address is 10.100.50.5.

Question

The most important task is just getting the Docker Compose zabbix6_statics network to successfully ping into the Docker statics network (i.e. Docker containers on 172.25.0.0/16 ping 192.0.2.2).

I really don't care what kind of linux kludge fixes or iptables work needs to be done to make pings between the container bridges work right.

c1lab · Accepted Answer · 2024-06-19 14:15:09Z

The problem is that by default, Docker Compose sets up iptables rules that block traffic to other linux networks on the same docker host.

In this case, I want to allow all traffic to and from my Docker Compose bridge network... to do this, I configured:

sudo iptables -I INPUT -i br-2f0c8e39d468 -j ACCEPT
sudo iptables -I FORWARD -i br-2f0c8e39d468 -j ACCEPT
sudo iptables -I FORWARD -o br-2f0c8e39d468 -j ACCEPT

Where br-2f0c8e39d468 is linux Docker host interface corresponding to the Docker Compose bridge.

Stack Exchange Network

Linux Docker compose container cannot ping another bridged Docker container

Overview

Problem

Question

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
networking
docker
iptables
docker-compose
.

Hot Network Questions

Linux Docker compose container cannot ping another bridged Docker container

Overview

Problem

Question

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxnetworkingdockeriptablesdocker-compose.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
networking
docker
iptables
docker-compose
.