How to Use Arno’s IPTABLES Firewall with Docker
When using Arno’s iptables firewall alongside Docker, it’s common to run into networking issues. After restarting the firewall, Docker containers might lose external connectivity or port forwarding stops working. This happens because Arno’s firewall wiped the iptables rules that Docker had automatically inserted.
One elegant way to solve this is by configuring Arno’s firewall to allow traffic for Docker explicitly.
Edit the custom rules file:
/etc/arno-iptables-firewall/custom-rules
iptables -A INPUT -i docker0 -j ACCEPT
iptables -A FORWARD -o docker0 -j ACCEPT
iptables -A FORWARD -i docker0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
Make sure the subnet (172.17.0.0/16) matches your Docker bridge network. You can check this via:
ip addr show docker0
After making changes, restart the firewall:
systemctl restart arno-iptables-firewall
Now, Docker containers should retain networking even after the firewall restarts.
This method integrates Docker networking directly into your firewall setup and avoids the need to restart Docker after every firewall reload.