Docker Community Forums

Share and learn in the Docker community.

IPTables help. Can ping out, but no response


(Justin Bodnar) #1

Hey everyone, I’m running into an issue with OpenVPN. I’m hoping somebody can offer some guidance. Here’s my setup.

I’m running an openVPN machine in a docker container. The container connects two networks together, on two interfaces. eth0 is our LOCAL physical switch in our house (10.64.0.102 /22 is our IP on the lan), while eth1 is our PRIVATE subnet (172.30.0.1 / 24 is our IP)

Here’s a diagram I put together.

If I connect to a machine at 172.30.0.6 / 24 (little debian server),
and I ping google (8.8.8.8) …
I SEE the packets going OUT: – I can do a ‘tcpdump -nni eth0 icmp’:
the openvpn container (10.64.0.102) (this can ping google (8.8.8.8) w replies)
the dockerhost that the container is running on (10.64.0.101) and THIS can ping successfully 8.8.8.8 (google) w replies
our firewall (10.64.0.1) and THIS can ping google w replies)

EVERYTHING WORKS for pinging from anything, WITH REPLIES from 8.8.8.8, EXCEPT for 172.30.0.6 machine.
From 172.30.0.6, I can see the OUTGOING pings on: a) the dockerhost b) the firewall
but never see the replies.

I think it has to do with IP Masquerading or NAT…
My guess is that the packets going out, to google, are making it to google, but the replies are going to 172.30.0.6, which is NOT my PUBLIC IP address.
I’ve googled every variation of iptables rules used to fix similar issues but to no avail, I’m stuck. Any help would be appreciated. Thanks.


(Justin Bodnar) #2

Found my fix. For others in similar situations, run this on the openvpn container:

# set us NAT masquerading
iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o eth0 -j MASQUERADE

# stop communication from subnet to 10.64.0.0/22 network
iptables -A FORWARD -d 10.64.0.0/22 -j REJECT