LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Containers
User Name
Password
Linux - Containers This forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.

Notices


Reply
  Search this Thread
Old 01-22-2019, 05:41 AM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 927

Rep: Reputation: 74
understanding output chain in the nat table


I've never used the OUTPUT chain in the NAT table before and it seems that it might have a more important role in the context of containers. I'm using Rancher (1.6 with docker-ce 18.03) which seems to be altering the iptables profoundly (i.e., much more than docker itself), but now I'm simply trying to understand part of it.
Code:
Chain OUTPUT (policy ACCEPT 107K packets, 7630K bytes)
 pkts bytes target     prot opt in     out     source               destination         
2517K  151M CATTLE_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
 653K   39M DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
Code:
Chain CATTLE_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        3   180 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 ADDRTYPE match dst-type LOCAL to:10.42.98.77:80
2        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 ADDRTYPE match dst-type LOCAL to:10.42.53.129:80
So basically I simply don't understand what these rules are for. The private IPs are container IPs. As far as I could understand, the OUTPUT in the NAT table is also for packets that originate from the localhost.
The same exposed ports cand also be found in the CATTLE_PREROUTING chain within the NAT table:
Code:
Chain CATTLE_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 to:10.42.98.77:80
2        9   540 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8050 ADDRTYPE match dst-type LOCAL to:10.42.98.77:80
3        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 to:10.42.53.129:80
4        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8040 ADDRTYPE match dst-type LOCAL to:10.42.53.129:80
The other rules in the OUTPUT and CATTLE_PREROUTING chains have the same pattern but for other ports, that's why I pasted only part of it.

I've read somewhere that it's for packets that do not traverse the PREROUTING chain for which you want to do DNAT. I don't understand the flow of these packets. What packets are these in the context of docker containers?

Thanks!

Last edited by vincix; 01-22-2019 at 05:59 AM.
 
Old 01-26-2019, 09:31 AM   #2
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 927

Original Poster
Rep: Reputation: 74
In short, the OUTPUT chain of the NAT table allows the host to directly communicate with the containers. That is to say, if port 8050 is exposed (as in the abovementioned example), doing a curl localhost:8050 or a curl on ANY ip assigned to eth0 is going to work exactly because of the OUTPUT chain (i.e. CATTLE_OUTPUT) of the NAT table.

Before digging into this problem I also wasn't really sure what 'addrtype match dst-type LOCAL' actually means, that is to say, what LOCAL means. A lot of people think that LOCAL simply refers to the loopback interface, which is not the case. LOCAL can mean any IP which is assigned to the host, EVEN if that ip is public. That might sound somewhat contradictory, but for the host the fact that the IP is public and routable doesn't mean anything. From its perspective that ip is going to be the host itself. I think the explanations you find on the internet are quite misleading.

I also think this follows from the fact that the assigned IPs can be found in the local table (ip route show table local)

Last edited by vincix; 01-26-2019 at 09:50 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What are the differences between the normal symbol table, the dynamic symbol table, and the debugging symbol table? watchintv Linux - Software 5 10-22-2016 08:38 AM
[SOLVED] MySQL run SELECT on a table if column A form table 1 equals column A from table 2 robertjinx Linux - Software 1 01-15-2016 10:48 AM
No INPUT chain on nat table in iptables narnie Linux - Software 2 11-03-2011 03:19 PM
NAT and NAT Server behind its own NAT(private network) zeusys Linux - Networking 1 06-08-2011 06:22 PM
iptables good packet chain (instead of bad packet chain) win32sux Linux - Security 6 11-06-2008 06:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Containers

All times are GMT -5. The time now is 04:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration