Unfortunately, I have a big problem with docker networking.
A relatively special setup on a server leads me to create a Docker network for my containers to communicate over a certain outgoing interface. It is therefore important that this Docker network is created without a masquerading rule in iptables.
So I created the Docker network with this command:
docker network create --attachable --opt ‘com.docker.network.bridge.name=br-intern’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ br-intern
I implemented the requirement to communicate over a specific outgoing interface with this iptables command:
iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o br-intern -j SNAT --to-source xxx.xxx.xxx.xxx
But contrary to my expectation, a Masquerade rule was created again for this bridge:
-A POSTROUTING -s 172.18.0.0/16 ! -o br-cfcebee2a7c0 -j MASQUERADE
So now I have to make sure at every daemon-restart that these rules are not created again by Docker in an automated way, otherwise the containers cannot reach our internal registry. It is also very difficult to write the Iptables rules automatically, because not only the network name is used in the rules. The uuid, which is random, often appears there as well. I haven’t found a good solution yet and would appreciate any tips.