1

My goal is to run two Docker containers on separate networks and have my host (Ubuntu 22.04) perform NAT so that the first network can reach the second.

My setup:

docker network create network1
docker network create network2

docker run --rm -it --network network1 ubuntu:22.04 bash

# In other terminal
docker run --rm -it --network network2 ubuntu:22.04 bash

The first container has an address of 172.19.0.2 and the second has an address of 172.20.0.2.

Running ip addr on my host, I see that the interfaces are br-deadbeef and br-feedbeef, respectively.

I then run

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i br-deadbeef -o br-feedbeef -j ACCEPT
iptables -A FORWARD -i br-feedbeef -o br-deadbeef -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o br-feedbeef -j MASQUERADE

on the host as root.

However, ping 172.20.0.2 from the first container doesn't succeed. Running Wireshark on the host shows the ICMP packet on the br-deadbeef network going from 172.19.0.2 to 172.20.0.2 but there's no reply.

What am I missing?

Improve this question

1 Answer 1

Reset to default
0

The issue is the following iptables rules:

Chain FORWARD (policy DROP)
target     prot opt source          destination
DOCKER-USER  all  --  anywhere          anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere          anywhere
...

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source          destination
DOCKER-ISOLATION-STAGE2  all  --  anywhere          anywhere
...

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source          destination
DROP       all  --  anywhere        anywhere
...

Chain DOCKER-USER (1 references)
target     prot opt source          destination
RETURN     all  --  anywhere        anywhere

If you run iptables with the verbose option (-v), you'll see that the DROP target under DOCKER-ISOLATION-STAGE-2 refers to the br-deadbeef interface (there's a DROP rule right under it for br-feedbeef).

Since you added your rules with -A, they were appended to the bottom of the chain which means that the jump to DOCKER-ISOLATION-STAGE-1 and hence to DOCKER-ISOLATION-STAGE-2 took priority.

A simple fix would be to add your rules with -I instead. This will insert them at the top of the chain.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.