Iptables – nginx docker container cannot see client ip when using ‘–iptables=false’ option

dockeriptables

I am using Docker 17.04.0-ce on Ubuntu 16.04.

I am running several containers on my host which expose public ports, some should be only accessible by certain ip ranges, while others, like an nginx proxy listening on port 80 and 443, should be publicly accessible.

Using the default configuration my iptables configuration of the INPUT chain was ignored, allowing all containers with bound ports to be accessed from anywhere. So I learned that I had to provide the --iptables=false option to docker, which worked fine.

While I now can control the access to the different ports using iptables, my nginx container is no longer able to see the ip address of the connecting client, but only gets the ip of the docker0 bridge (172.17.41.1 in my case).

Is there any way to allow the nginx container to see the connecting clients ip without loosing control over iptables again?

Side note: I do not want to put all containers on the host net (--net=host).

Best Answer

This depends on your IPTABLES setup. It sounds as if you masquerade while forwarding, something like this:

iptables -t nat -A POSTROUTING --out-interface docker0 -j MASQUERADE

If you want the client to see the original IP, you have to disable masquerading, and just use NAT and PREROUTING. There are tons of manuals for this out there.

Just make sure your containers use your host as default route, otherwise you'll end up not being able to answer because your responses don't originate from the correct ip.

To say more, you'd need to post your iptables configuration...

Related Solutions

Docker – running mesos-master in docker container – cannot see containers IP from other hosts

Easiest solution that I've found is using hosts IP addresses in container.

Docs are here

I've implemented it this way.

Limit Outside Connections to Docker Container with Iptables

Two things to bear in mind when working with docker's firewall rules:

To avoid your rules being clobbered by docker, use the DOCKER-USER chain
Docker does the port-mapping in the PREROUTING chain of the nat table. This happens before the filter rules, so --dest and --dport will see the internal IP and port of the container. To access the original destination, you can use -m conntrack --ctorigdstport.

For example:

iptables -A DOCKER-USER -i eth0 -s 8.8.8.8 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -s 4.4.4.4 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j DROP

NOTE: Without --ctdir ORIGINAL, this would also match the reply packets coming back for a connection from the container to port 3306 on some other server, which is almost certainly not what you want! You don't strictly need this if like me your first rule is -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT, as that will deal with all the reply packets, but it would be safer to still use --ctdir ORIGINAL anyway.

Best Answer

Related Solutions

Docker – running mesos-master in docker container – cannot see containers IP from other hosts

Limit Outside Connections to Docker Container with Iptables

Related Topic