Help setup firewall to track dst ip for all docker networks


I am trying to setup Suricata (a firewall) for all docker networks.

What I am not able to do, precisely, is have Suricata view the original destination IP (the one of my machine). The reason is that I am running the same setup on multiple servers and logging all traffic, so I need to discern traffic of one from the others. Each one differ only from the network address (,, etc).

I have tried with the DOCKER-USER chain as written in the doc (here: Packet filtering and firewalls | Docker Documentation) but it doesn’t seem to work. What I mean by that is NOT that the firewall does not work (it does), but that the IP it logs are the one of the docker containers (after the DNAT).

I CANNOT use network_mode: host, so I have to use iptables directly.

Suricata is set up to listen for packets in NFQUEUE 0 (started with -q 0).

Those are the two rules I tried and don’t work:

  • iptables -I DOCKER-USER -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j NFQUEUE
  • iptables -I DOCKER-USER -m conntrack --ctorigsrc -j NFQUEUE

Note that the second rule is theoretically fine: all traffic passes comes from/to the router.

Should I try to alter other chains (INPUT / OUTPUT)?

Hope somebody can help.