The following commands are essential to allow Docker containers to communicate properly with the external network when using firewalld as the system firewall:
sudo firewall-cmd --add-masquerade --permanent sudo firewall-cmd --reload sudo systemctl restart docker
Command:
sudo firewall-cmd --add-masquerade --permanent
Why it's needed: * Docker uses internal virtual networks for containers * Containers have private IP addresses (typically in the 172.17.0.0/16 range) * Masquerade (NAT - Network Address Translation) enables:
Analogy: Like a post office that receives mail for apartments in a building and delivers it to the correct recipients.
Command:
sudo firewall-cmd --reload
Why it's needed:
* Applies configuration changes made with the –permanent option
* Firewall rules become immediately active
* Ensures settings persist after reboot
Command:
sudo systemctl restart docker
Why it's needed: * Docker needs to detect the new firewall rules * Reloads network configuration * Ensures new containers will benefit from updated settings
* Containers cannot access the internet * Services in containers are not accessible from outside * Network connections fail * Port forwarding doesn't work correctly
After running these commands, you can run:
docker run -p 80:80 nginx
And the nginx server will be accessible from your network at: http://host-ip-address
To verify that masquerade is enabled:
firewall-cmd --query-masquerade
Should return yes.
* These settings are only needed if you use firewalld
* On systems with direct iptables, Docker manages rules automatically
* Settings are persistent due to the –permanent option