Docker Community Forums

Share and learn in the Docker community.

New user - Set default gateway of container to other machine in LAN


(Breakertripper) #1

I’m trying to set up a container that will use a machine in my LAN as the default gateway. This machine is an Odroid XU4 running Arch Linux currently connected to a VPN.

I have IP forwarding set and have added the iptables rules necessary to the XU4. IP forwarding is also enabled on the Fedora 26 machine (docker host) running docker 1.13.1

I have tried passing --default-gateway=192.168.1.44 in the docker.service file but this causes the service to fail to load. I have a feeling I have to create a bridge by specifying more parameters but I’m unsure how to do that. Also, I may run more than one container so I’d rather change the gateway setting per container individually.

I have also considered setting up a PPTP connection locally without encryption (to spare resources – I’m not scared of a local attack).

Does anyone know what needs to be done?

Docker is running on Fedora 26, build 27e468e/1.13.1

Thank you very much!


(Sreenivas Makam) #2

Are you planning to change the default gateway for container’s internet access or for some other reason?
Following parameters are available for bridge w,r,to ip and gateway.
bip
fixed-cidr
default-gateway

Did you try changing all the above 3? You can check the service logs to see what error you are getting.

Regards
Sreenivas


(Breakertripper) #3

I only changed the --default-gateway=192.168.1.44 option for the daemon.

To give more background: My LAN is on 192.168.1.0/24. My docker host IP is 192.168.1.50/24. My regular default gateway is my router, 192.168.1.1/24, and the desired target gateway is 192.168.1.44/24.

I have tried
sudo docker network create --gateway 192.168.1.44 --subnet 192.168.1.0/24 netx
and then
sudo docker run --name vpn --cap-add=NET_ADMIN --network netx -i -t base/archlinux /bin/bash

I have also tried
sudo docker network create --aux-address "DefaultGatewayIPv4=192.168.1.44" --subnet 192.168.1.0/24 nety
and then
sudo docker run --name vpn --cap-add=NET_ADMIN --network nety -i -t base/archlinux /bin/bash

I know I’m probably missing something fundamental about bridging here. I don’t have much knowledge of the subject. I’m not sure how to create the bridge network.

Is this something that can be done or should I consider trying the PPTP option?


(Sreenivas Makam) #4

Hi
I am not fully clear on your usecase. What is the reason that you want to set default gateway manually in the container?
In bridge network which is the default, containers in same bridge network can talk over the bridge. When containers need to access external world, it is done using default gateway in the host and ip masquerading rule in the iptables of host will take care of it. Inside the container, the default gateway will still point to bridge ip but container will still be able to access outside world.


(Breakertripper) #5

I want the container to use the VPN connection of the host at 192.168.1.44/24. Privacy is the reason. For everyday regular traffic, the host does not need to be connected to the VPN. I just want to protect the container if possible.


(Sreenivas Makam) #6

This is not possible with bridge driver. You can try doing this with custom bridge and iptables, but that would be quite some work. The default with bridge driver is for container to use same gateway as the host for internet access.


(Alex Rothberg) #7

Has there been any update on this? What I am trying to accomplish is to run a VPN as one container and have another container route its traffic through the VPN container.


(Mfrank) #8

To route one container through another you can alter the default gateway using ‘ip route’.
This can be done by either adding NET_ADMIN caps to your container and executing the command on the container or if you don’t want to add caps to the container you can also execute from the host by entering the network namespace manualy using nsenter.

Note: That this will slightly break container to host communication so you might have to also set a route to your host network via the original docker gateway. Also this only works on custom bridges as the default bridge isolates containers by default.