...
Since version 17 of Docker, the following entry needs to be added to the iptables policy on the host that is running the containers:-
| Code Block |
|---|
sudo iptables -I FORWARD -p tcp --tcp-flags SYN,textRST SYN -j TCPMSS --clamp-mss-to-pmtu |
This sets the “maximum segment size” value of a TCP Syn packet when it initiates a connection as part of “path MTU” negotiation. This is intended to get past the issue of “icmp 3 code 4” packet blocking issues (by the sending of the original packet) where the “Don’t fragment” flag is set on an IP packet, but the packet is too large and the sending router/host does not receive the icmp 3 code 4 packet to change and resend the “too large” packet as a smaller size. This is often an issue when using tunnelling or “packet sleeving” – GRE and IPSEC packets as well.
Docker Compose
The aforementioned fix does not necessarily apply when using docker compose. To apply the MTU fix when using docker compose please refer to the following article.
https://www.civo.com/learn/fixing-networking-for-docker
References
https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4721.html
...