1

I have freeradius inside a docker container (in docker-machine on osx) that's sending a UDP packet on a particular port (1812). My logs inside the container show sending on 1812, but when I sniff the packet on the host (OSX) it's on some random UDP port.

Is there a way to control the outgoing port in docker-machine? ie -> container sends on 1812 also leaves the host on 1812.

Should I be using virtualbox port fowarding for this?

roocell
  • 2,429
  • 25
  • 28
  • after some more thought, I think it's the NAT in docker-machine that's causing my issue. my container (172.16.0.4) sends a UDP packet out on port 1812, but since the docker-machine (192.168.99.100) is doing NAT it sends it out on a random port as the source port. I haven't confirmed it, but my suspicion is that Airport Extreme radius client is expecting to receive the radius packet with a source port of 1812 (the same port configured for the radius server) – roocell Jan 30 '16 at 16:31
  • I've created a 3rd adapter in docker-machine than runs in "bridged adapter" mode. This then gives the docker-machine an IP on my LAN. Everything seems to work in this case - proving the docker-machine NAT is the culprit of modifying the source port (as is intended by NAT obviously). Still looking for an answer that can accomplish changing the source port of packets out of a NAT'd docker-machine. I've also posted a question on http://superuser.com/questions/1033530/bsd-osx-pf-nat-change-source-port-on-outgoing-udp-packets as this is becoming more of a host configuration networking problem. – roocell Jan 30 '16 at 19:11

2 Answers2

1

It depends on how the container was run.
If it was with the -P (publish) option, that would map any EXPOSE'd port to a random host port.

Make sure to map at container runtime your port to a fixed port (-p 1912:1812: -p hostPort:ContainerPort), and make sure to port-forward that in your VM Network setting as in "Connect to a Service running inside a docker container from outside".

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • so you're saying I shouldn't use the -p option (I'm currently using "-p 18120:1812", but rather use VBoxManage to do port forwarding? – roocell Jan 30 '16 at 15:08
  • @roocell you need both: publish (the -p one, not -P) to control how the container port is mapped on the Linux port (the boot2docker one). And VirtualBox port forward in order to expose that port (in tcp *and*, in your case, udp) to the host. – VonC Jan 30 '16 at 17:51
  • I don't think it's docker that's the problem. I think it the NAT in docker-machine – roocell Jan 30 '16 at 18:36
  • @roocell first, if your container is run with the -P option, that means *random* mapping of the port to the Linux host: that would be an issue right there. – VonC Jan 30 '16 at 18:40
  • I just confirmed my suspicions - it's the NAT in docker-machine. see my comment attached to my question. while your answer isn't wrong - it wasn't quite I was looking for. ie - control docker-machine outgoing ports while running NAT mode. – roocell Jan 30 '16 at 19:08
  • @roocell interesting. All my VMs are always in NAT though. – VonC Jan 30 '16 at 19:26
1

While I haven't been able to figure out how to force the source port for outgoing packets of docker-machine while running NAT mode. I did resolve my problem by adding a bridged adapter in virtualbox. This puts the docker-machine interface right on your LAN and it will get served an IP address. This removes NAT from the equation and the packets from the containers retain the outgoing source port.

This virtualbox config can be done through the GUI or by running the following command.

docker-machine stop <machine-name>
VBoxManage modifyvm <machine-name> --nic3 bridged --bridgeadapter3 en0
docker-machine start <machine-name>

As VonC also stated you do need to publish the ports using the -p flag when running your docker container.

roocell
  • 2,429
  • 25
  • 28