The machines running Docker have this configuration in before.rules:
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic coming from the docker subnet
-A POSTROUTING -o eth0 -s 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -o zt0 -s 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -o zt1 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
The problem is that when UFW is reloaded those rules will be duplicated in iptables:
groot@docker1 /tmp/ansible_siren_testdbs # ufw reload
Firewall reloaded
groot@docker1 /tmp/ansible_siren_testdbs # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.17.0.0/16 anywhere <---
MASQUERADE all -- 172.17.0.0/16 anywhere <---
MASQUERADE all -- 172.17.0.0/16 anywhere <---
Could be fixed by flushing postrouting if there are no additional nat rules outside of ufw.
The machines running Docker have this configuration in
before.rules:The problem is that when UFW is reloaded those rules will be duplicated in iptables:
Could be fixed by flushing postrouting if there are no additional nat rules outside of ufw.