Pinging a system in the internet works:
root@553c9e5ce5ea:/# ping -c 1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.61 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.619/9.619/9.619/0.000 ms
Pinging a system in the internal (corporate) network, does not work:
root@553c9e5ce5ea:/# ping -c 1 10.97.179.110 PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data. --- 10.97.179.110 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
The routing in the container is straightforward:
root@553c9e5ce5ea:/# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
Pinging the same system from the docker host is working fine:
host » ping -c 1 10.97.179.110 PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data. 64 bytes from 10.97.179.110: icmp_seq=1 ttl=60 time=4.70 ms --- 10.97.179.110 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.703/4.703/4.703/0.000 ms
The system is reachable via a vpn
interface in the docker host:
host » route -n | grep '^10\.' 10.0.0.0 0.0.0.0 255.248.0.0 U 0 0 0 tunsnx 10.8.0.0 0.0.0.0 255.252.0.0 U 0 0 0 tunsnx 10.12.0.0 0.0.0.0 255.254.0.0 U 0 0 0 tunsnx 10.14.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tunsnx 10.15.0.0 0.0.0.0 255.255.240.0 U 0 0 0 tunsnx 10.15.20.0 0.0.0.0 255.255.252.0 U 0 0 0 tunsnx 10.15.24.0 0.0.0.0 255.255.248.0 U 0 0 0 tunsnx 10.15.32.0 0.0.0.0 255.255.224.0 U 0 0 0 tunsnx 10.15.64.0 0.0.0.0 255.255.192.0 U 0 0 0 tunsnx 10.15.113.108 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx 10.15.128.0 0.0.0.0 255.255.128.0 U 0 0 0 tunsnx 10.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tunsnx 10.32.0.0 0.0.0.0 255.224.0.0 U 0 0 0 tunsnx 10.64.0.0 0.0.0.0 255.192.0.0 U 0 0 0 tunsnx 10.128.0.0 0.0.0.0 255.128.0.0 U 0 0 0 tunsnx
Why is the host not properly routing the traffic coming from the docker container?
EDIT
I have been checking the IP tables counters, and this is what I see after ping -c 100
(a host on the VPN):
» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 100 8400 DOCKER-ISOLATION all -- any any anywhere anywhere 2 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 3 0 0 DOCKER all -- any docker0 anywhere anywhere 4 100 8400 ACCEPT all -- docker0 !docker0 anywhere anywhere 5 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere 6 0 0 ACCEPT all -- any br-ad32be160e27 anywhere anywhere ctstate RELATED,ESTABLISHED 7 0 0 DOCKER all -- any br-ad32be160e27 anywhere anywhere 8 0 0 ACCEPT all -- br-ad32be160e27 !br-ad32be160e27 anywhere anywhere
Pinging a host on the internet (8.8.8.8
) gives this:
» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 200 16800 DOCKER-ISOLATION all -- any any anywhere anywhere 2 100 8400 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 3 0 0 DOCKER all -- any docker0 anywhere anywhere 4 100 8400 ACCEPT all -- docker0 !docker0 anywhere anywhere 5 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere 6 0 0 ACCEPT all -- any br-ad32be160e27 anywhere anywhere ctstate RELATED,ESTABLISHED 7 0 0 DOCKER all -- any br-ad32be160e27 anywhere anywhere 8 0 0 ACCEPT all -- br-ad32be160e27 !br-ad32be160e27 anywhere anywhere
0 comments:
Post a Comment