I've been scratching my head about this for a full day now, I'm hoping to get some pointers in the right direction.
From the host I can connect to the Internet just fine, but any container I start does not have connectivity.
When I run this script (172.217.170.174 is what google.com resolved to on that host)
#!/bin/bash
set -x
echo HOST
curl http://172.217.170.174/
echo CONTAINER
docker run --rm -ti --network bridge curlimages/curl curl -v http://172.217.170.174/
I get this result:
+ echo HOST
HOST
+ curl http://172.217.170.174/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
+ echo CONTAINER
CONTAINER
+ docker run --rm -ti --network bridge curlimages/curl curl -v http://172.217.170.174/
* Trying 172.217.170.174:80...
* connect to 172.217.170.174 port 80 failed: Operation timed out
* Failed to connect to 172.217.170.174 port 80 after 131153 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to 172.217.170.174 port 80 after 131153 ms: Couldn't connect to server
In other words, connecting to an external IP address works from the host but not from the container.
My iptables looks like this:
# Generated by iptables-save v1.8.7 on Tue Jun 6 00:02:11 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-a8eda64c0e60 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a8eda64c0e60 -j DOCKER
-A FORWARD -i br-a8eda64c0e60 ! -o br-a8eda64c0e60 -j ACCEPT
-A FORWARD -i br-a8eda64c0e60 -o br-a8eda64c0e60 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-a8eda64c0e60 ! -o br-a8eda64c0e60 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-a8eda64c0e60 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Jun 6 00:02:11 2023
# Generated by iptables-save v1.8.7 on Tue Jun 6 00:02:11 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-a8eda64c0e60 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-a8eda64c0e60 -j RETURN
COMMIT
# Completed on Tue Jun 6 00:02:11 2023
resolv.conf in the container (shouldn't matter since I'm connecting to an IP):
nameserver 8.8.8.8
nameserver 8.8.4.4
search .
I had just replaced this machine with a new one because the previous one started to do exactly this same thing a few weeks ago. I thought it got broken by an update or something because it was there for seven years, so I had it replaced with a new one. Installed it on my desk in our office network and everything worked, but as soon as they put it in their network this same thing happens again.
I've tried all the google results for "docker container has no internet" and variations and nothing has helped.
Are Docker containers even supposed to have Internet connection through the default bridge network? It always has worked that way without changing any Docker or network settings but now I'm starting to doubt myself?
Any pointers for where I should look next?
Much appreciated.
Things I've tried:
