understanding output chain in the nat table

vincix · 01-22-2019, 05:41 AM

I've never used the OUTPUT chain in the NAT table before and it seems that it might have a more important role in the context of containers. I'm using Rancher (1.6 with docker-ce 18.03) which seems to be altering the iptables profoundly (i.e., much more than docker itself), but now I'm simply trying to understand part of it.

Code:

Chain OUTPUT (policy ACCEPT 107K packets, 7630K bytes)
 pkts bytes target     prot opt in     out     source               destination         
2517K  151M CATTLE_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
 653K   39M DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Code:

Chain CATTLE_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 ADDRTYPE match dst-type LOCAL to:10.42.98.77:80
2        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 ADDRTYPE match dst-type LOCAL to:10.42.53.129:80

So basically I simply don't understand what these rules are for. The private IPs are container IPs. As far as I could understand, the OUTPUT in the NAT table is also for packets that originate from the localhost.
The same exposed ports cand also be found in the CATTLE_PREROUTING chain within the NAT table:

Code:

Chain CATTLE_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 to:10.42.98.77:80
2        9   540 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 ADDRTYPE match dst-type LOCAL to:10.42.98.77:80
3        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 to:10.42.53.129:80
4        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 ADDRTYPE match dst-type LOCAL to:10.42.53.129:80

The other rules in the OUTPUT and CATTLE_PREROUTING chains have the same pattern but for other ports, that's why I pasted only part of it.

I've read somewhere that it's for packets that do not traverse the PREROUTING chain for which you want to do DNAT. I don't understand the flow of these packets. What packets are these in the context of docker containers?

Thanks!

vincix · 01-26-2019, 09:31 AM

In short, the OUTPUT chain of the NAT table allows the host to directly communicate with the containers. That is to say, if port 8050 is exposed (as in the abovementioned example), doing a curl localhost:8050 or a curl on ANY ip assigned to eth0 is going to work exactly because of the OUTPUT chain (i.e. CATTLE_OUTPUT) of the NAT table.

Before digging into this problem I also wasn't really sure what 'addrtype match dst-type LOCAL' actually means, that is to say, what LOCAL means. A lot of people think that LOCAL simply refers to the loopback interface, which is not the case. LOCAL can mean any IP which is assigned to the host, EVEN if that ip is public. That might sound somewhat contradictory, but for the host the fact that the IP is public and routable doesn't mean anything. From its perspective that ip is going to be the host itself. I think the explanations you find on the internet are quite misleading.

I also think this follows from the fact that the assigned IPs can be found in the local table (ip route show table local)