Monday, May 21, 2018

Routing in container not working properly

Leave a Comment

Pinging a system in the internet works:

root@553c9e5ce5ea:/# ping -c 1 8.8.8.8       PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.61 ms  --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.619/9.619/9.619/0.000 ms 

Pinging a system in the internal (corporate) network, does not work:

root@553c9e5ce5ea:/# ping -c 1 10.97.179.110 PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data.  --- 10.97.179.110 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms 

The routing in the container is straightforward:

root@553c9e5ce5ea:/# route -n Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0 172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0 

Pinging the same system from the docker host is working fine:

host » ping -c 1 10.97.179.110   PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data. 64 bytes from 10.97.179.110: icmp_seq=1 ttl=60 time=4.70 ms  --- 10.97.179.110 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.703/4.703/4.703/0.000 ms 

The system is reachable via a vpn interface in the docker host:

host » route -n | grep '^10\.' 10.0.0.0        0.0.0.0         255.248.0.0     U     0      0        0 tunsnx 10.8.0.0        0.0.0.0         255.252.0.0     U     0      0        0 tunsnx 10.12.0.0       0.0.0.0         255.254.0.0     U     0      0        0 tunsnx 10.14.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tunsnx 10.15.0.0       0.0.0.0         255.255.240.0   U     0      0        0 tunsnx 10.15.20.0      0.0.0.0         255.255.252.0   U     0      0        0 tunsnx 10.15.24.0      0.0.0.0         255.255.248.0   U     0      0        0 tunsnx 10.15.32.0      0.0.0.0         255.255.224.0   U     0      0        0 tunsnx 10.15.64.0      0.0.0.0         255.255.192.0   U     0      0        0 tunsnx 10.15.113.108   0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx 10.15.128.0     0.0.0.0         255.255.128.0   U     0      0        0 tunsnx 10.16.0.0       0.0.0.0         255.240.0.0     U     0      0        0 tunsnx 10.32.0.0       0.0.0.0         255.224.0.0     U     0      0        0 tunsnx 10.64.0.0       0.0.0.0         255.192.0.0     U     0      0        0 tunsnx 10.128.0.0      0.0.0.0         255.128.0.0     U     0      0        0 tunsnx 

Why is the host not properly routing the traffic coming from the docker container?

EDIT

I have been checking the IP tables counters, and this is what I see after ping -c 100 (a host on the VPN):

» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num      pkts      bytes target     prot opt in     out     source               destination          1         100     8400 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere             2           0        0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED 3           0        0 DOCKER     all  --  any    docker0  anywhere             anywhere             4         100     8400 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere             5           0        0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere             6           0        0 ACCEPT     all  --  any    br-ad32be160e27  anywhere             anywhere             ctstate RELATED,ESTABLISHED 7           0        0 DOCKER     all  --  any    br-ad32be160e27  anywhere             anywhere             8           0        0 ACCEPT     all  --  br-ad32be160e27 !br-ad32be160e27  anywhere             anywhere           

Pinging a host on the internet (8.8.8.8) gives this:

» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num      pkts      bytes target     prot opt in     out     source               destination          1         200    16800 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere             2         100     8400 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED 3           0        0 DOCKER     all  --  any    docker0  anywhere             anywhere             4         100     8400 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere             5           0        0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere             6           0        0 ACCEPT     all  --  any    br-ad32be160e27  anywhere             anywhere             ctstate RELATED,ESTABLISHED 7           0        0 DOCKER     all  --  any    br-ad32be160e27  anywhere             anywhere             8           0        0 ACCEPT     all  --  br-ad32be160e27 !br-ad32be160e27  anywhere             anywhere      

0 Answers

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment