8

I have a CentOS 7 server which was running happily for 600+ days until it was rebooted recently, after which incoming web requests were receiving HTTP523 (Origin Is Unreachable) error codes (via Cloudflare, if that makes a difference?) unless I stopped the firewalld service. Things run fine without firewalld, but I'd rather not leave it disabled!

I've tried stopping docker and firewalld and restarting them in various sequences, but the same 523 error occurs unless I stop firewalld.

/var/log/firewalld contains a few warnings that might help:

  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-8acb606a3b50 -o br-8acb606a3b50 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
  • WARNING: AllowZoneDrifting is enabled. This is considered a n insecure configuration option. It will be removed in a future release. Please consider disabling it now.
  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target 'DOCKER':No such file or directory
  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?)
  • WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.

I've found seemingly conflicting advice around the place regarding any manual configuration/commands required:

  1. firewall-cmd --permanent --zone=trusted --add-interface=docker0 on a CentOS forum
  2. firewall-cmd --zone=trusted --remove-interface=docker0 --permanent on the offical Docker docs -- surely that's the opposite of the above?
  3. a bunch of manual firewall-cmd commands on a Docker github issue -- surely all of that isn't required?
  4. this one looks promising -- nmcli, NetworkManager and firewall-cmd --permanent --zone=trusted --change-interface=docker0

I don't fully understand where the br-8acb606a3b50 interface comes from, or whether I need to do anything to configure it as well as docker0 if I use a solution like 4. above? It was all working fine automatically for years until the reboot!

Are some magic firewalld incantations now required (and why?!) or is there some way I can get the system to get back into the correct auto/default configuration it was in prior to rebooting?

$ docker -v
Docker version 20.10.5, build 55c4c88
$ firewall-cmd --version
0.6.3
$ firewall-cmd --get-zones
block dmz docker drop external home internal public trusted work
DrMeers
  • 4,117
  • 2
  • 36
  • 38
  • 1
    What is the CentOS minor version? There was a bug in 7.2, 7.3 which was fixed at some point after 7.4. Here is the explanation and possible fixes [1](https://github.com/moby/moby/issues/16137#issuecomment-271615192) [2](https://github.com/firewalld/firewalld/issues/195#issuecomment-273266234) – anemyte Mar 25 '21 at 06:38
  • `/etc/redhat-release` says `CentOS Linux release 7.9.2009 (Core)` – DrMeers Mar 25 '21 at 06:48
  • 1
    Strange then. The symptoms look similar to those described in the solution 4. When running Docker along with `firewalld` it should add all its interfaces ('docker0', 'br-8acb606a3b50', etc.) to the 'docker' firewalld zone. You do have the zone but somehow there is still no DOCKER chain in iptables ('No chain/target/match by that name'). Let's see where is the 'docker0' interface: `firewall-cmd --get-zone-of-interface=docker0` – anemyte Mar 25 '21 at 07:19
  • `firewall-cmd --get-zone-of-interface=docker0`: `no zone` – DrMeers Mar 25 '21 at 08:56
  • 1
    Okey, two last things: `nmcli connection show docker0 | grep zone` and `ls /etc/sysconfig/network-scripts/ifcfg-*`. If the first returns nothing and in the second you see no `docker0`, I suggest you with the solution 4. – anemyte Mar 25 '21 at 09:14
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/230358/discussion-between-drmeers-and-anemyte). – DrMeers Mar 25 '21 at 09:24

2 Answers2

9

To recap the chat investigation, this particular problem wasn't related to Docker and containers. The problem was in firewalld not having rules for NGINX running as a proxy for containers on the host. The solution was to add permanent firewalld rules for HTTP and HTTPS traffic:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

Warning messages like this one:

WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-8acb606a3b50 -o br-8acb606a3b50 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?)

... can appear during normal operation, when Docker attempts to delete a rule without checking its existence first. In other words, containers can be running smoothly even when there are warnings like this.

anemyte
  • 17,618
  • 1
  • 24
  • 45
1

I had some similar problems with Podman and for me i had to upgrade from Debian 9 to Debian 10 in order to fix it, because of the way firewalld handles iptables vs nftables.

entomologyx
  • 11
  • 1