2

I have a docker setup which disabled its default behaviour of tampering with iptables. So all works perfectly fine that I can allow or block specific port to outside world by specifying rule on ufw. Until I found the problem of not able to access the real IP of client accessing the website. All I see is 172.0.0.1 inside my container which is the IP docker0 network.

I found a solution that asked me to add the below to my iptables

iptables -t nat -A PREROUTING ! -i docker0 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.7:80

where 172.17.0.7 is the IP of proxy container. Now the problem is this IP tend to change if it happen to reboot and then my rule will no longer be valid.

Is there any elegant way of solving this issue without going in the route of assigning static IP to containers if at all it is possible.

Let me know if you need to see any more details of my setup. I am happy to post them.

Deepak
  • 6,684
  • 18
  • 69
  • 121
  • If this offtopic can someone move this to relevant forum ? I m not sure why we even have docker, ubuntu, ufw and iptables tag if I cant post a question related to that. – Deepak Mar 15 '17 at 01:03

2 Answers2

1

You can try running dockerd without the userland proxy, which is the process that masks the IP. 

--userland-proxy=false

There are various issues in doing that though.

Otherwise routing "real" IP's to containers is the cleanest solution.

Community
  • 1
  • 1
Matt
  • 68,711
  • 7
  • 155
  • 158
1

Alternatively consider What is the best practice of docker + ufw under Ubuntu solution.

POSTROUTING iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE solution worked better for me.

Te Ri
  • 177
  • 1
  • 5