Docker Community Forums

Share and learn in the Docker community.

Docker service create - a wrong iptables nat rule is created

When docker service is created, I cannot login to container from host via bridge network. After investigation, I found that the nat rule under DOCKER-INGRESS created wrong

My env:
debian stretch
docker version: docker-ce-cli_18.09.6_3-0_debian-stretch_amd64

docker gw bridge

docker_gwbridge: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:0b:dd:9b:eb  txqueuelen 0  (Ethernet)
        RX packets 107  bytes 10983 (10.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 476  bytes 23336 (22.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

command to create docker swarm service:
docker service create --name myweb --publish mode=ingress,target=80,published=8080 myweb:v1

myweb is a custom build image base centos with sshd:22 and apache:80.
nothing is wrong with image.

when container created, from inside container:

[root@aa8dd71be560 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.255.0.9  netmask 255.255.0.0  broadcast 10.255.255.255
        ether 02:42:0a:ff:00:09  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 42 (42.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.3  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:ac:12:00:03  txqueuelen 0  (Ethernet)
        RX packets 64  bytes 6441 (6.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 5304 (5.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 25  bytes 1915 (1.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25  bytes 1915 (1.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

However, the nat rule created in the host is

root@awsesa2:~# iptables -S DOCKER-INGRESS -tnat
-N DOCKER-INGRESS
-A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.2:8080
-A DOCKER-INGRESS -j RETURN

Look at the iptables rule, you can clearly see that dnat is translate to 172.18.0.2:8080. it should be 172.18.0.3:80 because 172.18.0.2 does not exist, and the target port is 80.