I am trying to setup Suricata (a firewall) for all docker networks.
What I am not able to do, precisely, is have Suricata view the original destination IP (the one of my machine). The reason is that I am running the same setup on multiple servers and logging all traffic, so I need to discern traffic of one from the others. Each one differ only from the network address (192.168.0.0/24, 192.168.1.0/24, etc).
I have tried with the DOCKER-USER chain as written in the doc (here: Packet filtering and firewalls | Docker Documentation) but it doesn’t seem to work. What I mean by that is NOT that the firewall does not work (it does), but that the IP it logs are the one of the docker containers (after the DNAT).
I CANNOT use
network_mode: host, so I have to use iptables directly.
Suricata is set up to listen for packets in NFQUEUE 0 (started with
Those are the two rules I tried and don’t work:
iptables -I DOCKER-USER -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j NFQUEUE
iptables -I DOCKER-USER -m conntrack --ctorigsrc 192.168.122.0/24 -j NFQUEUE
Note that the second rule is theoretically fine: all traffic passes comes from/to the router.
Should I try to alter other chains (INPUT / OUTPUT)?
Hope somebody can help.