Docker Community Forums

Share and learn in the Docker community.

Docker network creation without masquerade rule

Unfortunately, I have a big problem with docker networking.
A relatively special setup on a server leads me to create a Docker network for my containers to communicate over a certain outgoing interface. It is therefore important that this Docker network is created without a masquerading rule in iptables.

So I created the Docker network with this command:

docker network create --attachable --opt ‘com.docker.network.bridge.name=br-intern’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ br-intern

I implemented the requirement to communicate over a specific outgoing interface with this iptables command:

iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o br-intern -j SNAT --to-source xxx.xxx.xxx.xxx

But contrary to my expectation, a Masquerade rule was created again for this bridge:

-A POSTROUTING -s 172.18.0.0/16 ! -o br-cfcebee2a7c0 -j MASQUERADE

So now I have to make sure at every daemon-restart that these rules are not created again by Docker in an automated way, otherwise the containers cannot reach our internal registry. It is also very difficult to write the Iptables rules automatically, because not only the network name is used in the rules. The uuid, which is random, often appears there as well. I haven’t found a good solution yet and would appreciate any tips.

To avoid your rules being clobbered by docker try to use the DOCKER-USER chain:

iptables -A DOCKER-USER -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o br-intern -j SNAT --to-source xxx.xxx.xxx.xxx