为什么在Docker桥接网络中将网关IP作为源地址? [英] Why I get the gateway IP as source address in Docker bridge networking?

问题描述

我最初是在使用Docker桥接网络进行一些组合，并注意到请求始终是从网关IP发送的，而不是列入白名单的本地IP.

I'm originally doing some composition with Docker bridge network, and noticed that instead of the whitelisted local IP, the requests are always sent from the gateway IP.

为了轻松进行复制，我使用了两个Python容器来运行HTTP服务器和客户端:

To reproduce it with minimal effort, I used two Python containers to run a HTTP server and client:

docker run -it --rm python:alpine sh

在服务器端:

python -m http.server

在客户端:

wget 172.17.0.3:8000

预期输出是请求来自容器IP:

Expected output, is that the request comes from the container IP:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...          
172.17.0.2 - - [time] "GET / HTTP/1.1" 200 -

实际输出，该请求来自网桥网关IP:

Actual output, which the request comes from the bridge gateway IP:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...          
172.17.0.1 - - [time] "GET / HTTP/1.1" 200 -

但是，当我在笔记本电脑上运行相同的测试时，我得到了预期的行为(容器IP).该问题似乎仅在我的服务器上发生.

However, when I ran the same test on my laptop, I get the expected behavior (container IP). The problem only seems to happen on my server.

什么会导致这种行为?是某种sysctl或iptables问题吗?

What can result in such behavior? Is is some sort of sysctl or iptables problem?

推荐答案

我已经找到了原因，这是一个古老的iptables-save条目.很难注意到，因为iptables -nvL默认不显示NAT规则.

I have found the cause, which is an ancient iptables-save entry. It was hard to notice as iptables -nvL doesn't show NAT rules by default.

将它们从/etc/iptables/rules.v4中删除后，一切按预期进行.

After removing them from /etc/iptables/rules.v4, everything worked as intended.

这篇关于为什么在Docker桥接网络中将网关IP作为源地址?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！