If Docker uses custom bridge networks (e.g., br-XXXX) instead of docker0, CSF needs to be configured to avoid conflicts.
1. Identify Active Docker Bridge(s)
Find your active Docker bridge interfaces (starting with br- and in UP state with 172.x.x.x IPs):
ip a
2. Configure CSF
Edit csf.conf:
nano /etc/csf/csf.conf
Set DOCKER_DEVICE to your active Docker bridge(s) (comma-separated if more than one). Remove docker0 if it’s not in use.
DOCKER_DEVICE = "br-61fa586ddd3a" # Example: "br-abc,br-xyz"
Add the same bridge(s) to ETH_DEVICE_SKIP to prevent CSF from interfering with Docker’s traffic management:
ETH_DEVICE_SKIP = "br-61fa586ddd3a" # Same as DOCKER_DEVICE
Save and exit.
3. Allow Docker Network in csf.allow
Ensure the Docker bridge’s subnet is permitted (e.g., 172.18.0.0/16 for br-61fa586ddd3a):
echo "172.18.0.0/16 # Docker bridge network" >> /etc/csf/csf.allow
# Also ensure 127.0.0.1 is in csf.allow
4. Restart Services in Order
This order is crucial to prevent iptables conflicts:
- Stop all Docker containers:
docker stop $(docker ps -aq) - Restart CSF:
csf -r - Restart Docker service:
systemctl restart docker - Start your Docker containers:
docker compose up -d