Host and docker bridge - and iptables

General
1

Hello,
I am trying to create a bridge that will allow 2 way communication from external networks – and it’s driving me nuts.
From everything I’ve read, what I do below should allow a container to communicate externally and for machines on the network to be able to access the container using it’s ip.

Hostname: ubuntu 16.04
Docker Version:
Client:
Version: 1.13.1
API version: 1.26
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64

Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64
Experimental: false

On the host server (IP address 10.240.7.1/22, default gateway 10.240.4.1), I have setup a bridge (extbridge)
and attached it to the external interface (ens160), using,

brctl addbr extbridge
ip link set extbridge up
brctl addif extbridge ens160
ip addr del 10.240.7.1/22 dev ens160
ip addr add 10.240.7.1/22 dev extbridge
ip route add default via 10.240.4.1 dev extbridge

After doing this, everything seems to run fine…

  1. I have normal host/network connectivity
  2. Using the default docker interface, containers have normal connectivity.

However, if I now create a new docker bridge with the IP address range 10.240.7.128/25 using,
(or any other valid ip address range),

docker network create -d bridge --subnet 10.240.4.0/22 --gateway 10.240.7.1
–ip-range 10.240.7.128/25 -o “com.docker.network.bridge.name=extbridge” extbridge

Then I lose any container network connectivity - from either the default bridge or the new one.
Note: If I delete the new bridge, using docker network rm extbridge, then connectivity to the default bridge is restored.

I am suspecting the iptables created by docker (I may be completely wrong here, please correct me).

If on the host, I run,

watch iptables -t filter -nvL

and then start pings from a container using the bridged network, I get the following redirects (I do not get these from the default bridge, the pings just work as normal).

ssd@testbridge:~$ docker run -it --net extbridge ubuntu:16.04 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.240.7.1: icmp_seq=2 Redirect Host(New nexthop: 10.240.4.1)
From 10.240.7.1: icmp_seq=3 Redirect Host(New nexthop: 10.240.4.1)
From 10.240.7.1: icmp_seq=4 Redirect Host(New nexthop: 10.240.4.1)
From 10.240.7.1: icmp_seq=5 Redirect Host(New nexthop: 10.240.4.1)
^C
— 8.8.8.8 ping statistics —
5 packets transmitted, 0 received, 100% packet loss, time 4030ms

and the iptables watch shows, (the numbers were all zero before the ping)…

Chain INPUT (policy ACCEPT 972 packets, 139K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1240 88403 DOCKER-ISOLATION all – * * 0.0.0.0/0 0.0.0.0/0
1229 87479 DOCKER all – * extbridge 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * extbridge 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – extbridge !extbridge 0.0.0.0/0 0.0.0.0/0
1229 87479 ACCEPT all – extbridge extbridge 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 251 packets, 42841 bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
11 924 DROP all – docker0 extbridge 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – extbridge docker0 0.0.0.0/0 0.0.0.0/0
1229 87479 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Can anyone please suggest what I am doing wrong and how to fix the issue?

Thank you,
Ian.