Container can not be accessed by another Docker host

[qianzhangxa]

Hi,

I have two hosts which have Docker (1.13.0) integrated with Flannel (0.5.5):

host1: eth0/192.168.5.1, flannel0/10.1.89.0, docker0/10.1.89.1
host2: eth0/192.168.5.2, flannel0/10.1.69.0, docker0/10.1.69.1

There is a container running on host1 whose IP is 10.1.89.2, I can ping it from host1, but I can not ping it from host2 or from any containers in host2.

Here is the output of tcpdump in host1 when I ping 10.1.89.2 from host2:

# tcpdump -nni eth0 host 192.168.5.1 and 192.168.5.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:07:19.207158 IP 192.168.5.2.8285 > 192.168.5.1.8285: UDP, length 84
22:07:20.207372 IP 192.168.5.2.8285 > 192.168.5.1.8285: UDP, length 84
22:07:21.207464 IP 192.168.5.2.8285 > 192.168.5.1.8285: UDP, length 84
...

# tcpdump -nni flannel0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on flannel0, link-type RAW (Raw IP), capture size 262144 bytes
22:09:14.556410 IP 10.1.69.0 > 10.1.89.2: ICMP echo request, id 19788, seq 4, length 64
22:09:15.556218 IP 10.1.69.0 > 10.1.89.2: ICMP echo request, id 19788, seq 5, length 64
22:09:16.556210 IP 10.1.69.0 > 10.1.89.2: ICMP echo request, id 19788, seq 6, length 64

And there is no any output of tcpdump -nni docker0 icmp. So it seems the packets were not delivered from flannel0 to docker0 in host1.

Any ideas about what's wrong in my environment? Thanks!

[adaiguoguo]

sudo iptables -P FORWARD ACCEPT fix this.
Docker change log

[qianzhangxa]

It works, thanks @adaiguoguo !!!

[intsilence]

Same problem here, worked with @adaiguoguo , thanks very much!

[lklkxcxc]

我也碰到了原来是这个问题已解决。

[cmingxu]

works for me, should save my hours if saw this earlier, great!

[uplogin]

Thank you very much @adaiguoguo
It works