Как подключиться к Docker-контейнеру Mongo из другого Docker-контейнера, в то время как хост использует iptables

Question

Мне нужно подключиться из контейнера Docker к контейнеру MongoDB Docker.

Вот мои настройки для контейнера mongo (это часть набора реплик, так я запускаю узел):

docker run -d \
  --restart always \
  -p $PORT_START_INDEX:$PORT_START_INDEX \
  --log-driver json-file \
  -v $CLUSTERNAME-00-db:/data/db \
  -v $CLUSTERNAME-00-assets:/opt/mongo \
  --name $CLUSTERNAME-my.domain.com \
  --hostname $CLUSTERNAME-my.domain.com \
  --network $CLUSTERNAME-cluster \
  mongo:4.1.13 \
    -wiredTigerCacheSizeGB 2 \
    --port $PORT_START_INDEX \
    --sslMode requireSSL \
    --sslPEMKeyFile /opt/mongo/ssl/mongodb.pem \
    --bind_ip_all \
    --keyFile /opt/mongo/keyfile/cluster-keyfile \
    --replSet $CLUSTERNAME

А вот так я подключаюсь из другого контейнера

docker run --network my-cluster-name -v --rm mongo:4.1.13 mongo "mongodb://server:$PWD@node00-my.domain.com:30010,node00-my.domain.com:30011,node03-my.domain.com:30012/mydb?ssl=true&replicaSet=my-replica-name"

Все нормально, пока iptable не активен. Но как только я активирую его, я больше не могу подключаться к кластеру MongoDB:

2019-10-10T11:47:22.954+0000 I  NETWORK  [js] Starting new replica set monitor for ***
2019-10-10T11:47:22.955+0000 I  CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:22.955+0000 I  CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:22.955+0000 I  CONNPOOL [ReplicaSetMonitor-TaskExecutor] Connecting to ***
2019-10-10T11:47:27.954+0000 W  NETWORK  [ReplicaSetMonitor-TaskExecutor] Unable to reach primary for set ***
2019-10-10T11:47:27.955+0000 I  NETWORK  [ReplicaSetMonitor-TaskExecutor] Cannot reach any nodes for set ***. Please check network connectivity and the status of the set. This has happened for 1 checks in a row.
2019-10-10T11:47:32.955+0000 W  NETWORK  [ReplicaSetMonitor-TaskExecutor] Unable to reach primary for set ***
2019-10-10T11:47:32.955+0000 I  NETWORK  [ReplicaSetMonitor-TaskExecutor] Cannot reach any nodes for set ***. Please check network connectivity and the status of the set. This has happened for 2 checks in a row.

Вот мой iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             /* local trafic */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:94 /* ssh access */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* web trafic */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https /* ssl web trafic */
ACCEPT     icmp --  anywhere             anywhere             /* monitoring: ping */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED /* monitoring: ping */

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:30001
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:30011
ACCEPT     tcp  --  anywhere             172.18.0.3           tcp dpt:30000
ACCEPT     tcp  --  anywhere             172.19.0.3           tcp dpt:30010
ACCEPT     tcp  --  anywhere             172.19.0.4           tcp dpt:30012
ACCEPT     tcp  --  anywhere             172.18.0.4           tcp dpt:30002
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere