#[SOLVED] Docker containers unable to connect to the internet

I've spent the better part of last week troubleshooting my Docker installation, for reference, I have set up Unbound + dnscrypt to handle my DNS with DNSSEC (though I did so after experiencing my main issue, but I'm adding it here in case that may help or hinder my problem).

I attempted running the container for an app called silverbullet, by using docker compose, and I realized when trying to install a plugin for the app that the container can't reach the internet. I then also realized that the containers did in fact, reach the internet if i ran 'sudo nft flush ruleset', but of course having 0 firewall rules doesn't seem like the brightest idea. I have tried a bunch of stuff, from adding a masquerade rule to the docker zone, to adding ip-masq: true in the daemon.json file (which btw, did not activate the ip-masquerading in the bridge network), I tried creating a custom bridge with ip masquerading active and connecting a container to that network, but still, no connection. (I did use an AI assistant, which gave me most of these suggestions, so there's that)

I'll add that systemd-resolved, systemd.networkd and firewalld are all active, idk if having them all active may cause issues or clash in their configurations, I'd really appreciate any help with this matter.

docker bypasses standard routing by directly manipulating iptables but when firewalld which uses nftables backend flushes or reloads its rules it obliterat docker's routing chains. the reason why flushing the ruleset fixed it temporarily is because you killed the firewall which was blocking docker's nat.

append "iptables": false to /etc/docker/daemon.json and restart the docker service. you will now just need to manually configure firewalld to allow masquerad for the docker0 net interface. just assign the docker0 to your trusted zone and enable masquerad for that zone

I have set iptables to false already, as well as firewall-backend to nftables (I think it's called firewall-backend) I'll try to add the masquerade rule once I'm home and get back to you

just run this

sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0 && sudo firewall-cmd --permanent --zone=trusted --add-masquerade && sudo firewall-cmd --reload

the docker daemon fails to start after those commands:

may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.015859172-06:00" level=info msg="Firewalld: docker zone already exists, returning"
may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.052948901-06:00" level=warning msg="Failed to clean firewalld rules for bridge network" error="firewalld: interface \"docker0\" not found in docker zone"
may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.054815293-06:00" level=warning msg="could not create bridge network for id 95af587afedfeb9dc5d136b932fa7573f18b98582e1ae3509c3e59bc293856e4 bridge name docker0 while booting up from persistent state: ZONE_CONFLICT: 'docker0' already bound to 'trusted'"
may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.086585388-06:00" level=warning msg="Failed to clean firewalld rules for bridge network" error="firewalld: interface \"docker0\" not found in docker zone"
may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.087483310-06:00" level=info msg="stopping event stream following graceful shutdown" error="<nil>" module=libcontainerd namespace=moby
may 11 17:57:13 rommel-linux dockerd[1088]: time="2026-05-11T17:57:13.087663399-06:00" level=info msg="Daemon shutdown complete" error="failed to start daemon: Error initializing network controller: error creating default \"bridge\" network: ZONE_CONFLICT: 'docker0' already bound to 'trusted'"
may 11 17:57:13 rommel-linux dockerd[1088]: failed to start daemon: Error initializing network controller: error creating default "bridge" network: ZONE_CONFLICT: 'docker0' already bound to 'trusted'
may 11 17:57:13 rommel-linux systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE

run sudo firewall-cmd --permanent --zone=trusted --remove-interface=docker0 && sudo firewall-cmd --reload, start the Docker service, and then ad the interface to the zone at runtime

Would the error resurface upon a system reboot/restart or if the docker service restarts? Or rather, would I have to manually move the docker0 interface manually every time?

I have already done sudo firewall-cmd --permanent --zone=docker --remove-interface=docker0 && sudo firewall-cmd --permanent --zone=trusted --add-interface && sudo firewall-cmd --reload however there is still no connectivity, and after a reboot, docker was stuck on failed and wouldn't even start unless i reverted docker0 to the docker zone

SOLVED

Docker compose was starting containers on their own networks, instead of the default 172.17.0.2, so I added a firewall rule to allow traffic for "br-*" interfaces and now there is full connectivity for all containers