Join Log in
Score:0
akastack avatar Server

Iptable traversal with docker chains

xk flag
akastack

Using this as a reference and this previous post, I attempted at creating a iptable packet processing flowchart when docker containers on the bridge network are considered. The flowchart is shown below

flowchart

I had omitted some of the tables to keep the flowchart more concise. For example, I understand that before the first routing decision, a packet technically also passes through mangle and nat.

However, I am unsure whether or not my understanding is correct. Is my flow chart correct or if I am missing any important ip tables?

One thing that I am still unclear is how to incorporate the scenario of a packet being sent from a container to another container on the same network. Is this considered the top right decision? Part of my confusion stems from the fact that of a test where I ping another docker container from one docker container.

$ watch -n 2 -d iptables -nvL
Chain INPUT (policy ACCEPT 120 packets, 7060 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16  1344 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   16  1344 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15  1260 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    84 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    1    84 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 151 packets, 23212 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.3           tcp dpt:3001

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
   16  1344 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16  1344 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I send 8 packets (or 16 ping/ping-response pairs). But according to this result. Here only 1 packet is received by the DOCKER chain, while 15 is accepted by the 3rd rule on the FORWARD Chain. Why is this the case?

Thanks for any hints in understanding how packets traverse iptables with docker containers involved.

88
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.