Access from docker instance to external host which is connected to enp3s0 as shared method (use NM+dnsmasq)

General
1

Hi.
Have a problem with access from docker instance to external host which is connected to enp3s0 as shared method.
STR:

  1. Create network connection by using NM with settings ipv4.method=shared (IP 10.10.0.1)
  2. Plug external computer to enp3s0 device and it will recive network settings (IP, routes) from dnsmasq which was run by NM.
  3. run arp -n to know IP (10.10.0.193) of external host. Routes is good and I can access to IP from host.
  4. Run instance on host and try to ping this IP (10.10.0.193):

Get error:

docker run --rm -ti oraclelinux:8 ping -c 1 10.10.0.193 
PING 10.10.0.193 (10.10.0.193) 56(84) bytes of data. 
From 172.17.0.1 icmp_seq=1 Destination Port Unreachable
 --- 10.10.0.193 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Can ping local IP:

[root@86abc28a156b /]# ping 10.10.0.1
PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data. 
64 bytes from 10.10.0.1: icmp_seq=1 ttl=64 time=0.087 ms

Show Interfaces from host:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 18:c0:4d:68:41:d4 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.1/24 brd 10.10.0.255 scope global noprefixroute enp3s0
valid_lft forever preferred_lft forever
3: enp0s20f0u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 98:de:d0:05:0a:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.21/24 brd 192.168.88.255 scope global dynamic noprefixroute enp0s20f0u1
valid_lft 3173sec preferred_lft 3173sec
inet6 fe80::579a:dfee:38d8:cf74/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:aa:07:90:19 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:aaff:fe07:9019/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: vethb16c99f@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2e:ca:c9:f0:89:93 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::2cca:c9ff:fef0:8993/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever

Show route table from host:

# ip r
default via 192.168.88.1 dev enp0s20f0u1 proto dhcp src 192.168.88.21 metric 100
10.10.0.0/24 dev enp3s0 proto kernel scope link src 10.10.0.1 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.88.0/24 dev enp0s20f0u1 proto kernel scope link src 192.168.88.21 metric 100

Show docker info:

# docker info
Client: Docker Engine - Community
Version:    25.0.1
Context:    default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version:  v0.12.1
Path:     /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version:  v2.24.2
Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 47
Server Version: 25.0.1
Storage Driver: btrfs
Btrfs:
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc version: v1.1.11-0-g4bccb38
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.6.13-200.fc39.x86_64
Operating System: Fedora Linux 39 (KDE Plasma)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 62.64GiB
Name: dubrwork.local
ID: 2HJV:BCC3:MTJE:POL4:O5BX:DJXS:SRVZ:2AHD:SZ3V:5WYE:W5BW:BS2X
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

Firewalld is disabled.
It looks like it doesn’t work from docker0 bridge to interface where dnsmasq run.

Any ideas on how to fix this?
Thank you!