Docker container networking and LibreELEC iptables

This is more of a bug report, at least I think it is a bug. But then I'm not sure if it's a LibreELEC bug or a bug with the Docker addon.

I'm trying to set up Miniflux in Docker on LibreELEC, I've used the Portainer addon to set up the stack and have been following Installation Instructions - Documentation

The result here should be two containers (postgres & miniflux), both placed in their own isolated bridge network by Docker (with IPs somewhere in 172.16.0.0/12). The miniflux container should be able to connect to the postgres container on port 5432 within that isolated network.

What I've found is that the Home-v4 firewall settings (haven't tested Public) prevent this.

When I disable LibreELEC's firewall in the LibreELEC settings addon and restart Docker, the miniflux container starts successfully and can communcate with the postgres container on its network. Looking at iptables -L -v confirms this, with packets showing up in the correct interface in the forward chain and hitting the isolation stages.

Though, when the Home firewall rules are enabled, packets between the two containers get rejected with connection refused somewhere and don't show up in docker's chains.

I don't know enough about iptables to get to the core of the issue, so I'm hoping someone can help with this.

Thanks for the reply. I'm not 100% certain, but I think the way I set this up in Docker is correct and this is an issue with LE's iptables rules.

Quote from aptalca

The link you provided uses docker compose, which by default creates a "user defined bridge" network, which allows containers to connect to each other via container name.

Yup, and I've set this up using Portainer Stacks (equivalent to docker compose), and I see that the bridge network is created and the containers are added to it.

Here are the docker compose files I've used, if someone wants to copy/paste and try for themselves:

For miniflux:

version: '2'
services:
  miniflux:
    image: miniflux/miniflux:latest
    ports:
      - "12346:8080"
    depends_on:
      - db
    environment:
      - DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=test123
  db:
    image: postgres:latest
    environment:
      - POSTGRES_USER=miniflux
      - POSTGRES_PASSWORD=secret
    volumes:
      - miniflux-db:/var/lib/postgresql/data
volumes:
  miniflux-db:

and the one from Docker Hub for a more minimal test:

# Use postgres/example user/password credentials
version: '2'
services:
  db:
    image: postgres
    restart: always
    environment:
      POSTGRES_PASSWORD: example
  adminer:
    image: adminer
    restart: always
    ports:
      - 12347:8080

In both cases, the networks get created, but the containers can't communicate. As far as I can tell from inside the containers, the hostnames seem to resolve correctly, just the connection fails.