Share and learn in the Docker community.
Hello
I am running docker on Ubuntu server VM with multiple IPs (Aliases)
My question is Can I bind host IP directly to docker image
Some how to turn off the docker network and use the host IPs to run each container
I want to control inbound and outbound traffic from my firewall instead of UFW
Thank you
Is this what you’re needing?
Hello
No I need to do something like 1:1 nat inside Ubuntu
It should be done with IP ROUTE command I think
Let say I have Ubuntu interface enc160 with multiple IP addresses like this
ens160:
addresses: [‘10.15.14.60/25’,‘10.15.14.61/25’,‘10.15.14.62/25’,‘10.15.14.63/25’,‘10.15.14.64/25’]
gateway4: 10.15.14.2
Let say I have subnet in docker 172.16.2.0/29
I want the whole subnet to go trough 10.15.14.61/32 inbound and outbound traffic
Here is my current IP ROUTE SHOW
default via 10.15.14.2 dev ens160 proto static
10.15.14.0/25 dev ens160 proto kernel scope link src 10.15.14.60
172.16.2.0/29 dev br-0175d2af48dc proto kernel scope link src 172.16.2.1
I have to remove this route
10.15.14.0/25 dev ens160 proto kernel scope link src 10.15.14.60
and add static route to look something like that:
172.16.2.1/32 dev ens160 proto kernel scope link src 10.15.14.61
Currently all docker networks outbound from 10.15.14.60
and I am not sure how to do that
Does anyone have the solution on my question ot I have to take it elswere
You can try MacVLAN, if you don’t need to reach your containers on LAN from the host machine.
I try to avoid it and I sometimes don’t understand why this is the solution but I also don’t know a better one…
Hello
My containers are not expose to the public and I am not intending to do so ever, but they can still sends data from my network witch is by all means breach of security. I can create a template VM with some minimal version of Debian with pre-installed docker and I can deploy a single container on the separate VM, but before I do this I need to see, if there is way to avoid this, because is ridicules to install a separate VM every time I want to install a container. The whole point of containers is lost this way.
I have hocked up some of so called Open source apps to go trough my DPI system and guess what I found ?
Sensitive data had been encapsulated inside the outbound packets and the funny think is it was not encrypted, so I am warning everyone who does not have knowledge of IT to stay away from docker.
It is not a trojan horse I have inside my network it is DOCKER witch is design as a trojan horse.
If the network was not isolated in the way I did this SCAM docker system can do a lot of damage to your infrastructure
To answer your question
I try to avoid it and I sometimes don’t understand why this is the solution but I also don’t know a better one…
That’s why
First of all, you don’t need to explain your reasons, but I appreciate that you shared it.
That’s true. Docker is not Word document 
It requires technical skills do it right and it is not for someone “who does not have knowledge of IT”. Docker was the easiest way to deploy containers and still one of the easiest ways at least, but for a production environment, it must be configured by someone who have learned enough about Docker and the related systems to do so.
What kind of data was sent out from your Docker host and to where? Was it something generated by one of your application which was intended to send to an other container?
A Docker container is just an isolated system using Linux kernel namespaces. Docker will never send your data to the outside network. And I mean not just sensitive data, it will not send any data to anywhere. If it were possible, it would not be used by anyone, because that is unexeptable, doesn’t matter which system we are talking about.
Your application inside a container is the only thing that is responsible for its data and network traffic. Of course, if the host network is configured incorrectly somehow it forwards traffic it should not, that’s an other story. If you really know that Docker actually sent your data to an other host and not your application, please report it on GitHub: docker for linux because that is not allowed to happen.
How did you install Docker and Which version of it? I suppose you followed the instructions in the documentation:
As I suggested in my previous message, you can try MacVLAN to give your containers an IP address on your LAN network instead of a local IP address on the Docker bridge.
The fact that I don’t like it, doesn’t mean I am right. I didn’t want to explain why I felt that way, because that would be an other topic and not closely related to your requirements.
If you really want to have IP addresses the way you shared in your post, bound to your host machine with additional route settings, I don’t think that is a good way and I am not sure if that is even possible. If it is, I don’t know if anyone ever tried it.
If you find a solution for that, please, let me know.