Docker Community Forums

Share and learn in the Docker community.

[solved] Docker networking - routing containers

docker

(User10e32) #1

I have created User-defined network and used that in my compose file:

version: "3"
services:

  proxy:
    build: ./proxy
    networks:
      - network1
  app:
    build: ./app
    networks:
      - network1

networks:
  network1:
    driver: custom-driver-1

Now both containers are connected to the same network.

How can I create iptable rules or gateway to guide all the traffic from app container to proxy container and then to the external web (without changing or creating iptable rules in host…)?

I am completely new in routing, linux gateway and iptables. I want to transfer my system from virtualbox to docker (I have created such system in virtualbox with app running in internal network (combining some tutorials)).

Iptable rules I use in virtualbox proxy machine:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

(David Maze) #2

There is only one iptables setup and it’s the host’s. Containers don’t have their own firewall rules.

Most Linux programs honor an http_proxy environment variable (by convention all lowercase) and you can set this from the Docker Compose file; that may or may not achieve what you want. In this context you could set it to the name of the proxy container running on the locally-defined Docker network.


(User10e32) #3

How is the next sentence possible?

Containers don’t have their own firewall rules

Containers are created using linux distros and it is possible to create iptables rules in linux to route traffic. Iptable commands example iptable -L is allowed when using container in --privileged mode.
I have not created any rules to test if iptable rules are working or not.
From this reply I understand that docker container does not follow rules that are created in container or did I misunderstood it? Why can’t users create firewall rules?


(David Maze) #5

I’m pretty sure you’re looking at the host’s firewall rules. --privileged says “turn off many of the basic security knobs that prevent containers from breaking the host” and this is one of them.


(User10e32) #6

What I have done so far:
My compose file:

version: '2'
services:
    client11:
        container_name: client_11
        restart: always
        image: debian:jessie
        ports:
          - "80"
        networks:
            vpcbr:
                ipv4_address: 10.6.0.5
        tty: true

    proxy11:
        container_name: proxy_11
        restart: always
        image: debian:jessie
        networks:
            vpcbr:
                ipv4_address: 10.6.0.6
        tty: true

networks:
    vpcbr:
        driver: bridge
        ipam:
          config:
            - subnet: 10.6.0.0/16
              gateway: 10.6.0.1

In proxy11:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

In client11:
ip route del default
ip route add default via 10.6.0.6

I can ping google.com in client11, but I can not install packages or update linux.
Why I can ping, but can not install packages?

Command ip route output in Client11:
default via 10.6.0.6 dev eth0
10.6.0.0/16 dev eth0 proto kernel scope link src 10.6.0.5
output of iptables -nvL -t nat command in Client11:

Chain PREROUTING (policy ACCEPT 6 packets, 1014 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 62 packets, 4080 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  117  7074 DOCKER_OUTPUT  all  --  *      *       0.0.0.0/0            127.0.0.11          

Chain POSTROUTING (policy ACCEPT 179 packets, 11154 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  117  7074 DOCKER_POSTROUTING  all  --  *      *       0.0.0.0/0            127.0.0.11          

Chain DOCKER_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.11           tcp dpt:53 to:127.0.0.11:35379
  117  7074 DNAT       udp  --  *      *       0.0.0.0/0            127.0.0.11           udp dpt:53 to:127.0.0.11:58568

Chain DOCKER_POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       tcp  --  *      *       127.0.0.11           0.0.0.0/0            tcp spt:35379 to::53
    0     0 SNAT       udp  --  *      *       127.0.0.11           0.0.0.0/0            udp spt:58568 to::53

(User10e32) #7

Sorry!
All is working now I forgot to add my proxy certificates.


(1367) #8

hi.everybody
Im new in docker
I have a container on centos7 machine in workstation.when I want to use scp from another machine(centos6.8) on weorkstation to this container I face this :
ssh: connect to host 172.17.0.2 port 22: No route to host
lost connection
both container and machine ping eche other
could anybodey help me ?
Iwill be thankfull