@@ -127,3 +127,39 @@ ACCEPT tcp -- 172.17.0.3 172.17.0.2 tcp dpt:80
127127
128128to another should always appear to be originating from the first container's own
129129IP address.
130+
131+ ## Container communication between hosts
132+
133+ For security reasons, Docker configures the ` iptables ` rules to prevent containers
134+ from forwarding traffic from outside the host machine, on Linux hosts. Docker sets
135+ the default policy of the ` FORWARD ` chain to ` DROP ` .
136+
137+ To override this default behavior you can manually change the default policy:
138+
139+ ``` bash
140+ $ sudo iptables -P FORWARD ACCEPT
141+ ```
142+ The ` iptables ` settings are lost when the system reboots. If you want
143+ the change to be permanent, refer to your Linux distribution's documentation.
144+
145+ > ** Note** : In Docker 1.12 and earlier, the default ` FORWARD ` chain policy was
146+ > ` ACCEPT ` . When you upgrade to Docker 1.13 or higher, this default is
147+ > automatically changed for you.
148+ >
149+ > If you had a previously working configuration with multiple containers
150+ > spanned over multiple hosts, this change may cause the existing setup
151+ > to stop working if you do not intervene.
152+
153+ ### Why would you need to change the default ` DROP ` to ` ACCEPT ` ?
154+
155+ Suppose you have two hosts and each has the following configuration
156+
157+ ``` none
158+ host1: eth0/192.168.7.1, docker0/172.17.0.0/16
159+ host2: eth0/192.168.8.1, docker0/172.18.0.0/16
160+ ```
161+ If the container running on ` host1 ` needs the ability to communicate directly
162+ with a container on ` host2 ` , you need a route from ` host1 ` to ` host2 ` . After
163+ the route exists, ` host2 ` needs to be able to accept packets destined for its
164+ running container, and forward them along. Setting the policy to ` ACCEPT `
165+ accomplishes this.
0 commit comments