Some time ago, a sysadmin encountered a rather frustrating issue. On my Ubuntu Desktop 24.04, I had a perfectly running LXD container with AdGuard Home DNS inside it. Everything was working smoothly — fast browsing, and DNS filtering functioning flawlessly.

However, after installing Docker, browsing suddenly stopped working. Upon investigation, it turned out the issue was with the LXD container running AdGuard Home DNS, which could no longer connect to the internet.

Cause of the Problem

When Docker is installed and started, it automatically configures iptables. One of these changes is setting the default FORWARD chain policy to DROP.

Check it with:

sudo iptables -L -n

The result:

Chain FORWARD (policy DROP)

Why is this a problem?

Because the LXD container requires routing and packet forwarding capabilities to access the internet and function as a DNS gateway. If the FORWARD policy is set to DROP, all packets that need to be forwarded to or from the container will be blocked.

Temporary Solution: Change FORWARD Policy to ACCEPT

I tried changing the policy:

sudo iptables -P FORWARD ACCEPT

The result was immediate — the AdGuard Home LXD container was back online, and browsing worked again. Unfortunately, this is only a temporary solution. Once the server reboots or Docker restarts, the policy will revert to DROP.

Permanent Solution: Prevent Docker from Changing the FORWARD Policy

To keep the policy as ACCEPT even after a server restart:

sudo apt install iptables-persistent -y
sudo iptables -P FORWARD ACCEPT
sudo netfilter-persistent save

This way, on every boot, iptables will load the last saved rules.

LXD and routing require this kernel setting:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

The problem is, every time Docker starts, it can still override this setting.
To work around that, we can create a systemd override that applies the policy before Docker fully starts.

Create the override file:

sudo systemctl edit docker.service

Add the following:

[Service]
ExecStartPre=/usr/sbin/iptables -P FORWARD ACCEPT

Reload and restart Docker:

sudo systemctl daemon-reexec
sudo systemctl restart docker

Summary

  • Problem: After installing Docker on Ubuntu 24.04, the LXD container (AdGuard Home DNS) lost internet access because the iptables FORWARD policy was changed to DROP.
  • Cause: Docker automatically modifies iptables rules for default security.
  • Permanent solution: Use iptables-persistent and a systemd override to keep the FORWARD policy as ACCEPT.

With this configuration, the LXD container can continue functioning as a DNS gateway even after Docker is installed and running.