networkmanager docker firewalld: Updated Wed, 15 Jun 2022 02:39:28 GMT

Can't add docker0 interface to trusted zone with firewalld

On Centos 7 I want Docker containers to be able to reach the host so I tried to add docker0 to trusted zone:

# firewall-cmd --permanent --zone=trusted --add-interface=docker0
The interface is under control of NetworkManager and already bound to 'trusted'
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
# firewall-cmd --get-zone-of-interface=docker0
no zone

This used to work but not on this server for whatever reason. I also tried firewall-cmd --reload, nothing. As if firewalld commands are completely ignored. That NetworkManager message seems suspicious, is it possible that firewalld and NetworkManager are in some kind of conflict?

Out of desperation I also tried: nmcli connection modify docker0 connection.zone trusted which correctly set the ZONE=trusted in the interface config but firewalld still shows that interface is not in the trusted zone.

What is going on here?

Solution

From what I can tell unless there's an interface using the trusted zone that's directly recognized by firewalld (i.e. eth0) the trusted zone isn't marked as active. In order to get around this, you can explicitly set the iptables rule with the following:

firewall-cmd --permanent --zone=trusted --add-interface=docker0
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 3 -i docker0 -j ACCEPT
firewall-cmd --reload
systemctl restart docker

The '3' here is where in your INPUT chain the rule will be inserted, your mileage may vary. After running those commands I was able to access host ports from a container.

Comments (1)

+0 – Three weeks later, after running the first command the docker0 interface magically appeared in the trusted zone. Perhaps something was messed up and a reboot solved the problem. The direct rule should be helpful though. — Dec 29, 2016 at 16:02

References

https://unix.stackexchange.com/questions/331640