The below iptables command will restore the connection mark and then allow the routing rule to use the correct routing table. ip rule add from all fwmark 0x1001 lookup 1001 Iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK -save-mark -nfmask 0xffffffff -ctmask 0xffffffffįinally we add this rule for all fwmarks to use the new table we created.
Next we configured the mangle table to set some connection marks coming in from eth1: iptables -t mangle -A PREROUTING -i eth1 -j MARK -set-xmark 0x1001/0xffffffff In this project, there is more than what you need so I will try to only include what you need here.įirst, what we did was create a separate route table for eth1: ip route add default via 192.168.1.2 dev eth1 table 1001 We were specifically working with the AWS EC2 service where we were also attaching/configuring/bringing up the additional interfaces. I'm uncertain if bridge interfaces are handled the same way physical interfaces are for this sort of routing, and just want a sanity check as well as any tips on how I might accomplish this seemingly simple task.Ī friend and I ran into this exact problem where we wanted to have docker support multiple network interfaces servicing requests. When I bring up a container I cannot ping out from it at all after doing this. # to connect out if any changes to the network are made while it's # Note, I do this as I found Docker containers often won't be able # Restart the Docker daemon so it uses the correct network settings Ip route add default via 192.168.1.2 dev eth1 table docker # go out the 192.168.1.2 interface on eth1 # Add a route to the newly added docker routing table that dictates all traffic Ip rule add from 172.17.42.1 table docker # Add a rule stating any traffic from the docker0 bridge interface should use I've tried a variety of things so far to no avail but the one thing that I think is the closest to correct is to use iproute2 like so: # Create a new routing table just for dockerĮcho "1 docker" > /etc/iproute2/rt_tables I want to route all traffic from/to any Docker containers out of the second eth1 192.168.1.2 interface to a default gateway of 192.168.1.1, while having all traffic from/to the host machine go out the eth0 10.1.1.2 interface to a default gateway of 10.1.1.1. As I understand it, all network traffic to/from containers goes through a NAT, so outbound it appears to come from 172.17.42.1, and inbound it gets sent to 172.17.42.1. This interface is configured by default with an IP of 172.17.42.1 and all Docker containers communicate with this interface as their gateway and are assigned IP addresses in the same /16 range. Docker, like some virtualization tools, creates a Linux bridge interface called docker0. I have a server with two network interfaces that is running Docker.
0 kommentar(er)
