![]() Now the routing stack lets the packets with source 127.0.0.1 pass, and their source is corrected to 172.17.0.1 by the previous rule before going out on the virtual wire to the container: it works. ![]() This is still not enough: as the name implies, nat/POSTROUTING happens after the routing (actually the reroute check happening after the DNAT), and the packet was already dropped as martian source.įor special cases, like this one, it's possible to override the localnet restriction with the per-interface toggle route_localnet: echo 1 > /proc/sys/net/ipv4/conf/docker0/route_localnet So a SNAT (or simple MASQUERADE) to the packet in addition to the DNAT must also be made, this time in the nat/POSTROUTING chain which is traversed (see the previous schematic): iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 172.17.0.2 -j MASQUERADE The Linux kernel has specific settings preventing any IP in the range 127.0.0.0/8 to be routed anywhere else than to the lo interface and drops any such packet as martian source if "attempting" to use an other interface, and rightly so: the remote system (even if it's a container) would not accept an incoming packet with source 127.0.0.1 and destination 172.17.0.2 at least because it wouldn't know where to reply to it. the IP range 127.0.0.0/8 is forbidden to be seen outside of the lo interface This will work with any IP belonging to the host (ie: 172.16.214.45 and 172.17.0.1), except. The initial packet and then flow will be actually rerouted to an other interface (I suspect the "reroute check" in the previous link's schematic might not be placed correctly). ![]() As it's output, its syntax only allows outgoing interfaces, so it's altered like this: iptables -t nat -I OUTPUT -o lo -p tcp -dport 8443 -j DNAT -to-destination 172.17.0.2:8443 You also have to use the nat/OUTPUT chain. So in addition to the nat/PREROUTING rule doing the DNAT for packets arriving from "outside", which should look like: iptables -t nat -I PREROUTING -i eno1 -p tcp -dport 8443 -j DNAT -to-destination 172.17.0.2:8443 Take a look at Packet flow in Netfilter and General Networking to get an idea of what happens during the life of a packet in the kernel. So those packets never see the nat/PREROUTING chain. Locally initiated packets are not forwarded (routed). There are two issues (and actually a non-asked 3rd that I will address with a simple if not best solution, just in case, to be thorough): Locally initiated packets are not forwarded/routed $ curl curl: (7) Failed to connect to localhost port 8443: Connection refusedĪny indications on what I am doing wrong from experienced iptables people? ![]() I have done this, but it's not working when testing on the loopback interface iptables -t nat -I PREROUTING -i lo -d 127.0.0.1 -p tcp -dport 8443 -j DNAT -to-destination 172.17.0.2:8443 Forward all loopback packets on the lo interface to the docker container ip 172.17.0.2 on port 8443.Forward all incoming packets on my machine on port 8443 to the docker container ip 172.17.0.2 on its port 8443.I have one active docker container listening on the ip 172.17.0.2 (attached to the docker0 interface) Link/ether 80:00:0b:d7:a8:c5 brd ff:ff:ff:ff:ff:ffĤ: docker0: mtu 1500 qdisc noqueue state UP group default Valid_lft 773635sec preferred_lft 773635secģ: wlp3s0: mtu 1500 qdisc noop state DOWN group default qlen 1000 I have the following network interfaces defined on my machine: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |