Firewalld deleting concourse-created iptables chains

Hello, a little new to the forum, sorry if this is posted in the wrong place.

I wanted to post a problem that I ran into in case somebody ran into a similar issue. I set up concourse on a Linux machine by hand and I wanted to go through the tutorial, but when I ran the first “Hello World” Task in the tutorial, I got this response:

failed to ping registry: 2 error(s) occurred:

* ping https: Get net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
* ping http: Get net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)


This seemed to be happening before it concourse could even create the build container
Most of the debugging instructions say that this is due in part to the DNS set up in garden, but after reviewing the logs, I saw that the worker never set up a container in the first place.

I looked over the concourse logs, and it looked like it was expecting some rules to be there that weren’t. Something seems to wipe out all the IPtables rules that the concourse worker writes.

After I added the forward rule to the Default forward chain, the hello-world task ran successfully.

However, when I start up my machine, I always need to restart iptables, then my concourse worker to get the ruleset re-written.

Concourse works fine, I’m working my way through the tutorials right now, but if you’re having problems with it connecting to the docker registry and you’re sure your DNS is correct, check IPtables with the command iptables -L if you don’t see any chains starting with w--, it means the chains created by concourse may have been removed.

I narrowed it down firewalld doing this, because it complains about a bunch of unknown chains when it starts up, and it the error above only occurs when it’s running. Apparently, Firewalld resets IPtables when it starts up.

This took me a while to sort out so I hope reading this has saved you some time in frustration.

To conclude, if you’re having trouble with the above error, and the DNS configuation looks fine, it may be that the iptables rules are being reset. Check for chains starting with w-- in when you run iptables -L.

Other than that, my concourse install is up and running, and I’m looking forward to using it!


Good catch! I am running concourse on fedora which comes by default enabled with firwalld.
What you could try is, if you use systems to start concourse, to add an explicit dependency on firewalld.