- Red Hat Enterprise Linux (RHEL) 8
- Network connections to containers are dropped and thus cannot be reached.
- The general
iptables policyfor the
FORWARD chainof the
filter tableis set to
As the first step, implement the following by adding described rules to your runtime configuration, with:
# iptables -I CNI-FORWARD 1 -o cni-podman0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -I CNI-FORWARD 2 -o cni-podman0 -j ACCEPT # iptables -I CNI-FORWARD 3 -i cni-podman0 ! -o cni-podman0 -j ACCEPT # iptables -I CNI-FORWARD 4 -i cni-podman0 -o cni-podman0 -j ACCEPT
Test if containers can now be reached.
Make the change permanent by editing the
/etc/sysconfig/iptablesfile. Add the following to the filter table between its starting definition, i.e.
*filter, and before its
:CNI-FORWARD - [0:0] -A CNI-FORWARD -o cni-podman0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A CNI-FORWARD -o cni-podman0 -j ACCEPT -A CNI-FORWARD -i cni-podman0 ! -o cni-podman0 -j ACCEPT -A CNI-FORWARD -i cni-podman0 -o cni-podman0 -j ACCEPT
iptables filter table FORWARD chain policyRed Hat ships is set to
ACCEPT, which allows access to containers. Thus, this is a custom configuration implemented by system administration.
With this configuration, access to containers must be granted in iptables by deploying custom forwarding rules, when the default
FORWARD policyhas been set to anything else than
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.