Linux – In docker, what are these POSTROUTING iptables rules for

dockeriptableslinux

Docker creates a MASQUERADE iptables rule for every container that has an exposed port (in this example I have 5 containers with exposed port 3500):

sudo iptables -t nat -L -v -n

<snip>

Chain POSTROUTING (policy ACCEPT 42 packets, 2650 bytes)
 pkts bytes target     prot opt in     out     source               destination
    <snip>
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:3500
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.3           172.17.0.3           tcp dpt:3500
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.4           172.17.0.4           tcp dpt:3500
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.5           172.17.0.5           tcp dpt:3500
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.7           172.17.0.7           tcp dpt:3500

<snip>

If I understand things correctly, this means that when we have a packet with source and destination equal and destined for the docker container, the MASQUERADE target should apply. But when would this happen?

Best Answer

Although this thread is older, this question has now been answered here:
https://stackoverflow.com/questions/46802089/cant-understand-docker-iptables-rule

In short - This is supposed for an edge case, in most cases, what interests you is this rule:

-A POSTROUTING -s <Docker subnet> ! -o <Docker interface> -j MASQUERADE

e.g.:

-A POSTROUTING -s 172.17.0.0/24 ! -o br-a9173b54dfbd -j MASQUERADE

Best Answer

Related Solutions

Iptables port redirection on Ubuntu

Linux – Forward HTTP Traffic to Another IP Address with iptables

Related Topic