Hello!.
I moved running OpenVPN configuration from one native host to docker container running on another host. Everything works well except iptables connection tracking.
Container is using macvlan network with separate LAN IP. My Internet router is forwarding TCP/UDP ports to this IP.
In my setup, I want to allow connection from internal LAN network (192.168.64.0/21) to devices connected using VPN (subnnt behind VPN is 10.21.0.0/16).
Inside container, there are following iptables rules created (which works well on native host):
pkts bytes target prot opt in out source destination
4 200 all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
5 260 all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT all -- * * 192.168.64.0/21 10.21.0.0/16 ctstate NEW
0 0 ACCEPT all -- * * 10.0.0.0/8 192.168.66.90
0 0 ACCEPT all -- * * 192.168.66.90 10.0.0.0/8
4 200 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "FIREWALL: "
4 200 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Counters above are collected with single TCP connection from 192.168.64.231 to 10.21.0.3.
One packet is classified as NEW, but rest are classified as INVALID, but should match into RELATED,ESTABLISHED.
All IP addresses are correctly set, not SNAT, DNAT occurs in meantime. Only conntrack is not working inside container ns.