I recently discovered that the Docker daemon ‘out of the box’ (as it where) will run with the option --iptables=true.
Why is this important? - Well, for on your own development environment perhaps it isn’t so important. You can just get on with running your containers and access them over the network as expected.
If you are a bit more security conscious, perhaps because you are running on a production server, you will have firewall rules of some sort. iptables users may have spotted this but ufw users will potentially miss this: Docker is allowed to make changes to iptables to make networking easier. The reason why ufw users may miss this happening is that the rules for Docker do not appear in the list of rules.
Perhaps you want Docker managing iptables, this is your decision, but if you are running a selection of microservices behind an nginx load balancer/reverse proxy then you might not want this.
How do we fix this? - Luckily it isn’t that hard to change the behavior.
systemd Distros
Debian 8 for example, edit: /etc/systemd/system/multi-user.target.wants/docker.service
vim /etc/systemd/system/multi-user.target.wants/docker.service
You are looking for the following line:
ExecStart=/usr/bin/docker daemon -H fd://
Change it to:
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
Restart your Docker daemon
systemctl restart docker
non-systemd Systems
Ubuntu 14.04 for example.
Edit /etc/default/docker
vim /etc/default/docker
Change the following line:
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
To:
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
Restart your Docker daemon
service docker restart