Problem with iptables and Docker - not clean rules after stop/remove containers from stack
From logs some errors when start/stop docker:
"WARN[2021-10-04T23:26:41.987687619+02:00] Running modprobe bridge br_netfilter failed with message: modprobe: invalid option -- 'a'
BusyBox v1.31.1 (2021-08-30 23:57:59 CST) multi-call binary.
Usage: modprobe [-rq] MODULE [SYMBOL=VALUE]...
-r Remove MODULE
-q Quiet
, error: exit status 1"
modprobe command in ADM do not have option for modprobe:
-a, --all
Insert all module names on the command line.
example:
# modprobe -a bridge br_netfilter
modprobe: invalid option -- 'a'
BusyBox v1.31.1 (2021-08-30 23:57:59 CST) multi-call binary.
Usage: modprobe [-rq] MODULE [SYMBOL=VALUE]...
-r Remove MODULE
-q Quiet
# modprobe --all bridge br_netfilter
modprobe: unrecognized option '--all'
BusyBox v1.31.1 (2021-08-30 23:57:59 CST) multi-call binary.
Usage: modprobe [-rq] MODULE [SYMBOL=VALUE]...
-r Remove MODULE
-q Quiet
"WARN[2021-10-04T23:26:42.022771064+02:00] Failed to find ip6tables: exec: "ip6tables": executable file not found in $PATH"
ADM do not have ip6tables command
How to test:
log to root console and save output for:
iptables -S
few time redeploy, stop, start stack in portainer, example:
https://github.com/Wolvverine/internet- ... ompose.yml
and result:
Code: Select all
...
-A DOCKER -d 172.20.0.4/32 ! -i br-3e1a7e7fee54 -o br-3e1a7e7fee54 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-3e1a7e7fee54 -o br-3e1a7e7fee54 -p tcp -m tcp --dport 9097 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-3e1a7e7fee54 -o br-3e1a7e7fee54 -p tcp -m tcp --dport 9798 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-3e1a7e7fee54 -o br-3e1a7e7fee54 -p tcp -m tcp --dport 9115 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-3e1a7e7fee54 -o br-3e1a7e7fee54 -p tcp -m tcp --dport 9100 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-aa0d50a6092c -o br-aa0d50a6092c -p tcp -m tcp --dport 9710 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9117 -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-5b1a513c3aec -o br-5b1a513c3aec -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-5fa73e8688b2 -o br-5fa73e8688b2 -p tcp -m tcp --dport 9710 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-bb3cacfc58e8 -o br-bb3cacfc58e8 -p tcp -m tcp --dport 9100 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-bb3cacfc58e8 -o br-bb3cacfc58e8 -p tcp -m tcp --dport 9115 -j ACCEPT
-A DOCKER -d 172.20.0.4/32 ! -i br-bb3cacfc58e8 -o br-bb3cacfc58e8 -p tcp -m tcp --dport 9798 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-bb3cacfc58e8 -o br-bb3cacfc58e8 -p tcp -m tcp --dport 9097 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-bb3cacfc58e8 -o br-bb3cacfc58e8 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-f7758c8405cd -o br-f7758c8405cd -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER -d 172.23.0.2/32 ! -i br-68ec6ef1c805 -o br-68ec6ef1c805 -p tcp -m tcp --dport 9100 -j ACCEPT
-A DOCKER -d 172.23.0.3/32 ! -i br-68ec6ef1c805 -o br-68ec6ef1c805 -p tcp -m tcp --dport 9798 -j ACCEPT
-A DOCKER -d 172.23.0.4/32 ! -i br-68ec6ef1c805 -o br-68ec6ef1c805 -p tcp -m tcp --dport 9115 -j ACCEPT
-A DOCKER -d 172.23.0.5/32 ! -i br-68ec6ef1c805 -o br-68ec6ef1c805 -p tcp -m tcp --dport 9097 -j ACCEPT
-A DOCKER -d 172.23.0.6/32 ! -i br-68ec6ef1c805 -o br-68ec6ef1c805 -p tcp -m tcp --dport 3000 -j ACCEPT
...
The same situation with Portainer and Docker-Compose.