How to get real IP from user in container (NOT HTTP) using docker bridge networking mode?

General
,
1

Nginx & Minecraft Server
I have many services built with docker in my server, e.g. Web (Nginx), Database (MySQL), Discord Bot

Before this, I only had the need for the web applications to get the user’s real IP. So I set the Nginx reverse proxy, and it working as well. Only I need to do is sending the header X-REMOTE-ADDR to the app container.

But, One of thoese services is Minecraft Server. It’s not using HTTP protocol… So maybe I can’t no longer use Nginx as my reverse proxy like before. But I do have the need to get the user IP in the application…

Why don’t use host networking mode
Like I said, my server has many services running, If I set networking mode to “host” to them, and one of thoese apps got the vulnerability… like RCE, then hacker may can access any other containers by IP 172.xx.xx.xx, um… it’s too dangerous.

Please help me, on the premise that “containers cannot communicate with each other”, so that non-HTTP protocol applications can obtain the user's real IP instead of the gateway's IP in the container.

2

To be honest I have no idea how MineCraft works, but after a quick search I found this opensource proxy for MineCraft: https://www.spigotmc.org/wiki/bungeecord/

There is a Docker image on Docker Hub: https://hub.docker.com/r/itzg/bungeecord

You could also continue using NginX with the stream module to proxy udp or tcp connection.

http://nginx.org/en/docs/stream/stream_processing.html

3

Thank you for replying.
Yes, I know there are these mods (or plugins) of minecraft, and nginx’s stream functionality.
But none of these work because the package has been modified “source ip” (ip protocol) before entering the docker container by docker gateway.

I found the docker daemon setting “userland-proxy”.
Google said that set this to false, then docker container will get the real ip from users.
Unfortunately, is not working to me. :cry:

4

If the proxy is running in a container shouldn’t ip forwarding work?

https://www.spigotmc.org/wiki/bungeecord-ip-forwarding/

https://shockbyte.com/billing/knowledgebase/38/IP-Forwarding-in-BungeeCord.html

The proxy container’s port has to be published (forwarded from the host) so when you access the proxy container remotely from another machine, the proxy container should see your real IP. Then the proxy can do what it can to forward it to the server. If bungeecord was created for MineCraft, it should be able to handle that.

5

With the help of my friends, I have found a good way to temporarily meet my needs
Manually proxy traffic by directly changing iptables instead of docker gateway.

For example, to forward 25566 traffic to 172.17.0.2:25565, add two new iptable rules:

iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 25566 -j DNAT --to-destination 172.17.0.2:25565

iptables -A FORWARD -p tcp -d 172.17.0.2 --dport 25565 -j ACCEPT

The “ppp0” is the network card to monitor the traffic.
In this way, traffic can be manually forwarded into the container without being handed over to the docker gateway for forwarding.

Anyway, thank you for your patience.