Today I received an abuse from Hetzner:
We have detected that your server is using different MAC addresses from those allowed by your Robot account.
I think the problem is with Docker and want to try to change:
I tried to do this but I get an error: sudo docker network create --attachable --opt 'com.docker.network.bridge.enable_ip_masquerade=false' bridge
Error response from daemon: operation is not permitted on predefined bridge network.
Docker won’t change your MAC address. Hetzner and any client would see your server as a sender or receiver and not the Docker container. Did Hetzner tell you what MAC address seems to be the one that is not permitted?
To tell you the truth I don’t even know what is the ip_masquerade option is for in this case. I couldn’t see any difference in the IP addresses when I disabled it on a custom docker network.
Do you have multiple machines at Hetzner? If you don’t and you can’t find the MAC address ask them to tell you why they think you use that MAC address, Maybe they made a mistake or they can give you more information to help you identify the issue.
Raise a support ticket and ask them for guidance on how docker is supposed to be run on their machines to not raise an alert.
Afair, masquerade should hide the hosts of the container network (as in acts as a NAT).
If I am not mistaken, you should see a differenice in outgoing traffic from the container.
Just to be sure: you are not trying to use a macvlan network, are you?
N.B.: network and named volumes are immutable. Once created their configuration can not be changed. You need to delete and re-create them using the new parameters. In the case of the default networks: make sure to inspect it to see the current configuration before you delete it - you might want to re-use parts or the complete configuration and change or add parameters as you need.
I did an audit with tcpdump and saw that the IP addresses from which the packets leave do not belong to me.
13:14:39.393565 IP 188.8.131.52.30333 > 172.18.0.2.33060: Flags [P.], seq 708:1412, ack 1, win 130, options [nop,nop,TS val 4238507880 ecr 1723023175], length 704
I understand that they reported that to you, but it is not enough. You need to contact them for more details and help. It does not look like a Docker issue and I have no idea how you could use any invalid MAC address seen by Hetzner. I can’t imagine that the docker networks can cause any problem and if they can, that is something Hetzner should fix in there Network since you won’t be the only person who uses Docker. Since you didn’t find the MAC address on your machine, the logical next step is contacting Hetzner and solveing the problem together.