Timeline for Understanding packet flow through iptables rules for docker container bridge network?
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 13, 2023 at 8:13 | comment | added | Consideratus | Look for virtual network bridge that is the "device" responsible for wiring. Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Iptables works with third and higher layer within ISO model. Network bridge works on second layer. | |
| May 12, 2023 at 7:45 | comment | added | akastack | I found this s2.loli.net/2023/05/12/PUc1Kzrk9q4pBAm.png image link. I guess I am having trouble understanding how the "wire" between eth0 and veth on the docker0 interface is created lower level. I assume this is not by iptables. Are iptables necessary only for packets leaving the docker0 interface towards the host machine? | |
| May 5, 2023 at 19:01 | comment | added | Consideratus | There is a network bridge (created by Docker daemon) which forwards packets between two or more network segments for example docker0 and eth0. Once that forward happen the kernel leverage bridge-netfilter module which allows utilization of the iptables and so forward chain will be applied because it is forward operation. | |
| May 5, 2023 at 18:53 | comment | added | Consideratus | It will go through nat table as well but after forward chain because forward happens before the nat. | |
| May 5, 2023 at 8:35 | comment | added | akastack | Also shouldn't a packet leaving the host be using the NAT table instead? Should the filter table be used for packets like "packet from host to container", or a combination of both filter and NAT for "packets from outside host destined for container"? | |
| May 5, 2023 at 8:30 | comment | added | akastack | What is the outgoing interface then, if not docker0? Perhaps this is why I am confused. What would the outgoing interface for a ping packet from within the container to the outside internet? | |
| May 5, 2023 at 6:05 | vote | accept | akastack | ||
| May 4, 2023 at 13:41 | comment | added | Consideratus | It won't match first rule because outgoing interface is not docker0. | |
| May 4, 2023 at 13:25 | comment | added | akastack | I understood rule 1 of Chain DOCKER-ISOLATION-STAGE-2 as dropping packets that are outgoing (leaving the virtual interface docker0). Could you clerify why a packet ping from a container to outside network would not be dropped? | |
| May 4, 2023 at 13:09 | comment | added | Consideratus | Because it matches the rules with RETURN target and so it's returned to calling chain and so on up to originating chain and there it will be processed by other rule that matches the criteria. As there are specified no restriction rules at all outgoing traffic is allowed. | |
| May 4, 2023 at 12:46 | comment | added | akastack | But why am I then allowed to ping an outside website like google.com? | |
| May 4, 2023 at 12:28 | history | answered | Consideratus | CC BY-SA 4.0 |
