How can an iptables 443 redirection on my host interfere with outbound HTTPS requests from my Docker container? -
i diagnosed complex issue involving docker , iptables
.
i have ubuntu host following iptables
settings:
$ sudo iptables -l -t nat [...] chain xyz (1 references) target prot opt source destination redirect tcp -- anywhere anywhere tcp dpt:https /* xyz */ redir ports 8443
the rule in place redirect inbound traffic port 443 8443. meant redirect traffic java-based application has nothing docker containers, runs on same machine, , has self-signed ssl certificate.
when run docker container on same machine docker's default network settings, , issue wget https request within container, docker (or os) seems redirect outbound connection port 8443 on ubuntu host, and, therefore, local java-based application which, in turn, accepts connection (most of times) , returns invalid (self-signed) certificate details. result, applications inside container end talking local java application on host, instead of real servers on internet should talking to.
i verified wget https request issued directly ubuntu host hits target server on internet. problem occurs requests initiated docker containers running on same host.
can explain why happens?
the example not complete. have not shown chain linked from. i'll try answer anyways, might want reduce iptables rules set nothing reproduce problem.
the way iptables works incoming packet has matching rules applied it. rule matches it, has target applied.
in case, happens outbound packets matched on rule, , therefor redirected well.
since redirect targets on pre-routing table, , 1 not limited incoming traffic, need limit matching in way. easiest, probably, add ! -i lo
rule. should prevent matching of packets arriving through loopback interface.
Comments
Post a Comment