Broken network connectivity between two containers of different networks over published port on external ip

[bephinix]

TL;DR Description

It is not possible to access an exposed and published port of a container within another container if both containers are not in the same docker network.

Steps to reproduce the issue

1. Install Debian 9 in VM
2. Install Docker CE 18.09.2
3. Replace/Create /etc/docker/daemon.json and insert { "bridge": "none", "userland-proxy": false }
4. Reboot VM
5. Create first network: docker network create -d bridge --ipv6 --subnet 172.30.0.0/24 --subnet fddd::/64 -o "com.docker.network.bridge.name=dckrDefault" dckrDefault
6. Create second network: docker network create -d bridge --ipv6 --subnet 172.30.1.0/24 --subnet fddd:0:0:1::/64 -o "com.docker.network.bridge.name=dckrSecond" dckrSecond
7. Spawn simple web container and publish port (using a host ip address, in my case 172.22.222.174): docker run -d --name exposed-service --publish 172.22.222.174:8080:80 --network dckrDefault nginx
8. Spawn client container within the same network: docker run -it --name container-client --network dckrDefault debian:9-slim
9. Try to access web container over external ip (replace host ip address): wget http://172.22.222.174:8080 (success)
10. Spawn client container within the second network: docker run -it --name container-client --network dckrSecond debian:9-slim
11. Try to access web container over external ip (replace host ip address): wget http://172.22.222.174:8080 (failure)

Expected results

Step 10 should download the default page from the web container.

Results

If you spawn the client container in the same docker network, wget can connect to the web container.
But if your client container is in the second (different) network, no connection can be established.

What is going on?

First an iptable PREROUTING rule in the DOCKER chain will apply a DNAT, so the packet is redirected directly to the dckrDefault bridge.
After that the DOCKER-ISOLATION-STAGE-1 will match our packet.
There is a rule, which applies to packets arriving from dckrSecond but with a destination in another network, so DOCKER-ISOLATION-STAGE-2 will kick in.
In this CHAIN is an iptables rule which will cause our packet to be dropped.

This behavior is correct as it implements the known docker network isolation which prevents containers to communicate with containers of another network.

TL;DR

The client tries to access the web container over an external ip of the host.
These packets are rewritten and the client tries to access the web container directly which will and should not work.

Version, System, Logs, Configuration

Docker Version

Client:
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        6247962
 Built:             Sun Feb 10 04:13:52 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 03:42:13 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Docker Info

Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 18.09.2
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 09c8266bf2fcf9519a651b04ae54c967b9ab86ec
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-8-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.863GiB
Name: debian
ID: BLT6:PW7Q:BSD7:7KYZ:7GJY:TEXZ:GTSM:KWGE:L3DZ:ULK5:3UGC:VWYV
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

/etc/docker/daemon.json

{
    "bridge": "none",
    "userland-proxy": false
}

iptables -nvL

Chain INPUT (policy ACCEPT 1672 packets, 118K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2374   18M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2374   18M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1361   18M ACCEPT     all  --  *      dckrSecond  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      dckrSecond  0.0.0.0/0            0.0.0.0/0           
 1010 73362 ACCEPT     all  --  dckrSecond !dckrSecond  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  dckrSecond dckrSecond  0.0.0.0/0            0.0.0.0/0           
 3096   43M ACCEPT     all  --  *      dckrDefault  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2   144 DOCKER     all  --  *      dckrDefault  0.0.0.0/0            0.0.0.0/0           
 2206  158K ACCEPT     all  --  dckrDefault !dckrDefault  0.0.0.0/0            0.0.0.0/0           
    2   144 ACCEPT     all  --  dckrDefault dckrDefault  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1120 packets, 180K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !dckrDefault dckrDefault  0.0.0.0/0            172.30.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1013 73542 DOCKER-ISOLATION-STAGE-2  all  --  dckrSecond !dckrSecond  0.0.0.0/0            0.0.0.0/0           
 2206  158K DOCKER-ISOLATION-STAGE-2  all  --  dckrDefault !dckrDefault  0.0.0.0/0            0.0.0.0/0           
 7675   62M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      dckrSecond  0.0.0.0/0            0.0.0.0/0           
    3   180 DROP       all  --  *      dckrDefault  0.0.0.0/0            0.0.0.0/0           
 3216  232K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7678   62M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0      

iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 64 packets, 5640 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   444 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 46 packets, 4488 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      dckrSecond  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
   18  1152 MASQUERADE  all  --  *      !dckrSecond  172.30.1.0/24        0.0.0.0/0           
    2   144 MASQUERADE  all  --  *      dckrDefault  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
   82  5252 MASQUERADE  all  --  *      !dckrDefault  172.30.0.0/24        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.30.0.2           172.30.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 DNAT       tcp  --  *      *       0.0.0.0/0            172.22.222.174       tcp dpt:8080 to:172.30.0.2:80

Additional details

Used VirtualBox on ArchLinux.

[bephinix]

tcpdump which shows the rewrite/forwarding

23:25:12.034607 IP 172.30.1.2.43040 > debian.fritz.box.http-alt: Flags [S], seq 506512913, win 29200, options [mss 1460,sackOK,TS val 829484 ecr 0,nop,wscale 7], length 0
23:25:12.034628 IP 172.30.1.2.43040 > 172.30.0.2.http: Flags [S], seq 506512913, win 29200, options [mss 1460,sackOK,TS val 829484 ecr 0,nop,wscale 7], length 0
23:25:13.039788 IP 172.30.1.2.43040 > debian.fritz.box.http-alt: Flags [S], seq 506512913, win 29200, options [mss 1460,sackOK,TS val 829736 ecr 0,nop,wscale 7], length 0
23:25:13.039851 IP 172.30.1.2.43040 > 172.30.0.2.http: Flags [S], seq 506512913, win 29200, options [mss 1460,sackOK,TS val 829736 ecr 0,nop,wscale 7], length 0

[polarathene]

I took a bit longer to grok the issue, sharing an alternative summary:

• Regardless of userland-proxy setting, containers on separate networks are isolated. They cannot reach each others ports.
  • The host can connect to a containers IP and port directly, without publishing the port.
  • When container ports are published to another network interface, they can be reached through it (eg: web browser on another device connecting to a web server container).
• Containers can then reach a container in a separate docker network indirectly via the published port, but userland-proxy: false prevents that.

Reproduced with `docker info`

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.10.4
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.17.3
    Path:     /usr/lib/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 37
 Server Version: 23.0.4
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d.m
 runc version: 
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.2.12-arch1-1
 Operating System: EndeavourOS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.724GiB
 Name: vmware-docker
 ID: 84d56870-5163-4839-80a1-ff0e3cea6787
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 12
  Running: 1
  Paused: 0
  Stopped: 11
 Images: 4
 Server Version: 23.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.2.0-20-generic
 Operating System: Ubuntu 23.04
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 945.4MiB
 Name: vps-public
 ID: 0bff6f6d-8e44-44a0-b0c4-d62ebc869ccd
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Original response

• The client tries to access the web container over an external ip of the host.
• These packets are rewritten and the client tries to access the web container directly which will and should not work.

The last part was a bit confusing, as you cite that it will work (but should not)? While the issue itself is about not being able to reach a container on a separate docker network (via a common network between them where the ports are published on) due to the iptables rules Docker adds with userland-proxy: false?

---

• If you spawn the client container in the same docker network, wget can connect to the web container.
• But if your client container is in the second (different) network, no connection can be established.

This behavior is correct as it implements the known docker network isolation which prevents containers to communicate with containers of another network.

This was clearer. The example referenced an external host IP but showed a private network address from 172.16.0.0/12 CIDR block that the Docker networks resided.

It may not matter, but I reproduced with both local VM with private IP in 192.168.0.0/16 and a public facing VPS instance with public IP address.

[polarathene]

Feature info

I have extracted this information + solution that I originally documented at: docker/docs#17312 (which contains additional history if useful)

Container to Container connection across separate docker networks via Host IP:

• userland-proxy: false lacks support (iptables: Without the docker-proxy traffic will hit DROP via rules in the FORWARD => DOCKER-ISOLATION-STAGE-2 chain. The client IP is not masqueraded as the target containers docker bridge gateway IP).
• userland-proxy: true currently solves this via RETURN rule to redirect traffic through the docker-proxy. There was an alternative approach with this 2016 PR attempt that would introduce two additional rules per container:port published (inserted prior to the DOCKER-ISOLATION-STAGE-1 chain rules that apply DROP).
  • As traffic would no longer go through the docker-proxy, it would not be restricted to only the host ports at published interfaces (eg: <host IP>:8080), but also could support connecting directly to the container port (eg: via 172.17.0.3:80).
  • For userland-proxy: true, the existing DOCKER nat chain DNAT rules, the RETURN would defer to docker-proxy for the host IP, while a direct container IP would not. As the RETURN rule is an alternative (simpler) solution, it could be removed in favour of the existing DNAT rule, instead of relying on docker-proxy which was used for:
    • Supporting containers to connect via ports on published host interfaces via docker-proxy (Aug 2013).
    • Supporting such connections across separate docker networks via RETURN (Feb 2016, introduced Skip "DNAT").
  • Regardless of userland-proxy setting, the RemoteAddr is replaced with the target containers bridge gateway IP. This is no different to the current behaviour however.
  • Downside is many more rules would be added (2 per container port published per protocol) vs a single RETURN per docker network (that delegates to docker-proxy). Doing such implicitly by default has been discouraged in the past due to overhead introduced, which could reduce performance at scale.

---

Fixes

Excluding a container port from inter-network isolation

You can make a container reachable from other docker networks:

# Container with -p 8080:80 on the docker0 bridge network at container IP 172.17.0.3,
# Accept traffic exchange both ways:
iptables -I DOCKER-USER -i docker0 -s 172.17.0.3 -p tcp --sport 80 -j ACCEPT
iptables -I DOCKER-USER -o docker0 -d 172.17.0.3 -p tcp --dport 80 -j ACCEPT

At this point, anything that accessed <host ip>:8080 has been mapped via NAT to <container ip>:80, the container can thus be reached via either address across docker network boundaries 🎉

Bonus - Preserve client IP (instead of replacing with docker network gateway IP)

Cross-bridge network connections could preserve the container client IP, if the existing POSTROUTING -j MASQUERADE rules additionally exclude the destination for each docker bridge subnet (since -m addrtype ! --dst-type LOCAL doesn't seem to cover to bridges/veth?).

# Target container network: `docker0` / `172.17.0.0/16`
# Client container network (user-defined): `br-feedfacef00d` / `172.18.0.0/16`

# Replace bridge outbound masquerade rule:
iptables -t nat -D POSTROUTING ! -o br-feedfacef00d -s 172.18.0.0/16 -j MASQUERADE
# Traffic from containers IP that isn't to an IP from `br-feedfacef00d` and not an IP from docker0 subnet,
# will be masqueraded. Otherwise connection between br-feedfacef00d and docker0 will preserve RemoteAddr:
iptables -t nat -I POSTROUTING ! -o br-feedfacef00d -s 172.18.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE

Now if your container performing curl is at 172.18.0.2, it should be the remote client IP instead of 172.17.0.1.

NOTE: There will still be other situations where you'd not have the client IP preserved. One example is when the container sends a curl request to <host ip>:8080 that resolves back to that same container, this gets the gateway IP (due to iptables -t nat -nvL POSTROUTING rule for matching when the containers IP is both source and destination) which is required AFAIK?

UFW interference (when INPUT policy set to DROP)

If the docker host uses UFW for the firewall, then it is likely INPUT policy is set to DROP which also prevents connecting across docker networks. See the issue for workarounds by adding INPUT rules.