Debian: Installing docker broke my bridge interface!

by Zack Marvel
in linux

tagged linux, debian, docker

These are partly notes for myself, but I'll publish it in case it helps someone.

After installing Docker, I could no longer reach my VMs from outside the VM host (where I also wanted to run Docker).

My network configuration looks something like this:

...
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 74:d0:2b:93:28:a7 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 74:d0:2b:93:28:a7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.5/24 brd 192.168.88.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::76d0:2bff:fe93:28a7/64 scope link
       valid_lft forever preferred_lft forever
...
15: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:1b:e6:66:6c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

I came across this helpful StackExchange answer: Docker breaks libvirt bridge network.

I saved my iptables config to a file so I could edit it:

sudo iptables-save > iptables.save

As the first FORWARD rule (before the line -A FORWARD -j DOCKER-USER), I added this line:

-A FORWARD -i br0 -o br0 -j ACCEPT

Then I did sudo iptables-restore < iptables.save. Then I could ping my VM!

I installed iptables-persistent so my changes to the rules would stick around after a reboot. It works!

Shortcomings

Looking at /etc/iptables/rules.v4, it looks like this incorporates the DOCKER rules into the persistent config. I assume that means, if I ever uninstall Docker, I'll have to remove them again by hand. Too bad, but at least I have a working Docker install!