Today I received an abuse from Hetzner:
We have detected that your server is using different MAC addresses from those allowed by your Robot account.

I think the problem is with Docker and want to try to change:
“com.docker.network.bridge.enable_ip_masquerade”=“false”

I tried to do this but I get an error:
sudo docker network create --attachable --opt 'com.docker.network.bridge.enable_ip_masquerade=false' bridge
Error response from daemon: operation is not permitted on predefined bridge network.

How to change the docker0 bridge by default?

Docker won’t change your MAC address. Hetzner and any client would see your server as a sender or receiver and not the Docker container. Did Hetzner tell you what MAC address seems to be the one that is not permitted?

To tell you the truth I don’t even know what is the ip_masquerade option is for in this case. I couldn’t see any difference in the IP addresses when I disabled it on a custom docker network.

Yes, they said which MAC addresses are bad.
I tried to find them but didn’t find:
ip addr | grep 1c
ifconfig | grep 1c
ip link | grep 1c

• Where “1c” is part of the MAC address

Do you have multiple machines at Hetzner? If you don’t and you can’t find the MAC address ask them to tell you why they think you use that MAC address, Maybe they made a mistake or they can give you more information to help you identify the issue.

Like Akos said: involve Hetzner!

Raise a support ticket and ask them for guidance on how docker is supposed to be run on their machines to not raise an alert.

Afair, masquerade should hide the hosts of the container network (as in acts as a NAT).
If I am not mistaken, you should see a differenice in outgoing traffic from the container.

Just to be sure: you are not trying to use a macvlan network, are you?

N.B.: network and named volumes are immutable. Once created their configuration can not be changed. You need to delete and re-create them using the new parameters. In the case of the default networks: make sure to inspect it to see the current configuration before you delete it - you might want to re-use parts or the complete configuration and change or add parameters as you need.

I did an audit with tcpdump and saw that the IP addresses from which the packets leave do not belong to me.
13:14:39.393565 IP 62.141.44.38.30333 > 172.18.0.2.33060: Flags [P.], seq 708:1412, ack 1, win 130, options [nop,nop,TS val 4238507880 ecr 1723023175], length 704

No messages if I stop Docker

Isn’t that the IP address of your machine?

nslookup 62.141.44.38

38.44.141.62.in-addr.arpa	name = vps2244359.fastwebserver.de.

Of course, if you stop Docker, Docker containers can’t communicate since they are not running 172.18.0.2 is a container IP on a custom Docker network

no,

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 44:8a:5b:84:7b:63 brd ff:ff:ff:ff:ff:ff
    inet 5.9.16.173/32 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:160:90ae::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::468a:5bff:fe84:7b63/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:cd:58:90:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-e739098f0997: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:99:dd:0e:84 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-e739098f0997
       valid_lft forever preferred_lft forever
    inet6 fe80::42:99ff:fedd:e84/64 scope link
       valid_lft forever preferred_lft forever
14: vethdd75965@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-e739098f0997 state UP group default
    link/ether 52:8a:ea:69:0b:39 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::508a:eaff:fe69:b39/64 scope link
       valid_lft forever preferred_lft forever

Then again, ask Hetzner to help you find out what that IP address belongs to.

Docker “br-e739098f0997” reserved 172.18.0.1/16 brd 172.18.255.255
I think that’s the problem.

Why is that a problem? That is an internal network. At least it should be. But only Hetzner can tell you if they use the same IP somewhere

They reported the issue:
We have detected that your server is using different MAC addresses from those allowed by your Robot account.

I understand that they reported that to you, but it is not enough. You need to contact them for more details and help. It does not look like a Docker issue and I have no idea how you could use any invalid MAC address seen by Hetzner. I can’t imagine that the docker networks can cause any problem and if they can, that is something Hetzner should fix in there Network since you won’t be the only person who uses Docker. Since you didn’t find the MAC address on your machine, the logical next step is contacting Hetzner and solveing the problem together.