1

I am working on this issue: how to assign specific network interface to docker container

Now I am using the solution with subnet and iptable found in this page: https://github.com/moby/moby/issues/30053

docker network create NETWORK --subnet=192.168.1.0/24 --gateway=192.168.1.1 # choose an unused subnet
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source OUTGOING_IP # remember that Docker also edit POSTROUTING
docker network connect NETWORK CONTAINER # or with Compose

I am not familiar with networking. I simply run

docker network create mynetwork

Docker handles the subnet stuff for me. And I inspect the info of it

[
{
    "Name": "mynetwork",
    "Id": "b61fc94a84f43c186d208d7406f6a3869cae3f6e4a5ed6cd01e6df30ed926a68",
    "Created": "2017-09-15T06:29:36.582492084Z",
    "Scope": "local",
    "Driver": "bridge",
    "EnableIPv6": false,
    "IPAM": {
        "Driver": "default",
        "Options": {},
        "Config": [
            {
                "Subnet": "172.18.0.0/16",
                "Gateway": "172.18.0.1"
            }
        ]
    },
    "Internal": false,
    "Attachable": false,
    "Ingress": false,
    "ConfigFrom": {
        "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {},
    "Options": {},
    "Labels": {}
}

]

Following the steps, I run this on host (1.2.3.4 is the IP of eth1, which I want the traffic from the docker container outbound through it)

iptables -t nat -I POSTROUTING -s 172.18.0.0/16 -j SNAT --to-source 1.2.3.4

Checking the iptables

    iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.18.0.0/16        0.0.0.0/0            to:1.2.3.4
MASQUERADE  all  --  172.18.0.0/16        0.0.0.0/0           
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:3306
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:443
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:80

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306 to:172.17.0.2:3306
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.17.0.3:443
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.3:80

running "curl ifconfig.co", I still get the IP of eth0 but not eth1. Did I miss anything?

I want to create some subnet, in each subnet there is only one user. What should I specify in the "--subnet" argument if I want to?

Thanks.

ロジャー
  • 347
  • 1
  • 6
  • 16

0 Answers0