Проверка связи с системой в Интернете работает:
root@553c9e5ce5ea:/# ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.61 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 9.619/9.619/9.619/0.000 ms
Проверка связи с системой во внутренней (корпоративной) сети, не работает:
root@553c9e5ce5ea:/# ping -c 1 10.97.179.110
PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data.
--- 10.97.179.110 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Маршрутизация в контейнерепросто:
root@553c9e5ce5ea:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
Пингинг той же системы с хоста докера работает нормально:
host » ping -c 1 10.97.179.110
PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data.
64 bytes from 10.97.179.110: icmp_seq=1 ttl=60 time=4.70 ms
--- 10.97.179.110 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.703/4.703/4.703/0.000 ms
Система доступна через интерфейс vpn на хосте докера:
host » route -n | grep '^10\.'
10.0.0.0 0.0.0.0 255.248.0.0 U 0 0 0 tunsnx
10.8.0.0 0.0.0.0 255.252.0.0 U 0 0 0 tunsnx
10.12.0.0 0.0.0.0 255.254.0.0 U 0 0 0 tunsnx
10.14.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tunsnx
10.15.0.0 0.0.0.0 255.255.240.0 U 0 0 0 tunsnx
10.15.20.0 0.0.0.0 255.255.252.0 U 0 0 0 tunsnx
10.15.24.0 0.0.0.0 255.255.248.0 U 0 0 0 tunsnx
10.15.32.0 0.0.0.0 255.255.224.0 U 0 0 0 tunsnx
10.15.64.0 0.0.0.0 255.255.192.0 U 0 0 0 tunsnx
10.15.113.108 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx
10.15.128.0 0.0.0.0 255.255.128.0 U 0 0 0 tunsnx
10.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tunsnx
10.32.0.0 0.0.0.0 255.224.0.0 U 0 0 0 tunsnx
10.64.0.0 0.0.0.0 255.192.0.0 U 0 0 0 tunsnx
10.128.0.0 0.0.0.0 255.128.0.0 U 0 0 0 tunsnx
Почему хост неправильно маршрутизирует трафик, поступающий из контейнера докера?
EDIT
Я проверял счетчики таблиц IP, и это то, что я вижу послеping -c 100 (хост в VPN):
» sudo iptables -x -v --line-numbers -L FORWARD | head
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 100 8400 DOCKER-ISOLATION all -- any any anywhere anywhere
2 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
3 0 0 DOCKER all -- any docker0 anywhere anywhere
4 100 8400 ACCEPT all -- docker0 !docker0 anywhere anywhere
5 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
6 0 0 ACCEPT all -- any br-ad32be160e27 anywhere anywhere ctstate RELATED,ESTABLISHED
7 0 0 DOCKER all -- any br-ad32be160e27 anywhere anywhere
8 0 0 ACCEPT all -- br-ad32be160e27 !br-ad32be160e27 anywhere anywhere
Пинг хоста в Интернете (8.8.8.8) дает следующее:
» sudo iptables -x -v --line-numbers -L FORWARD | head
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 200 16800 DOCKER-ISOLATION all -- any any anywhere anywhere
2 100 8400 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
3 0 0 DOCKER all -- any docker0 anywhere anywhere
4 100 8400 ACCEPT all -- docker0 !docker0 anywhere anywhere
5 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
6 0 0 ACCEPT all -- any br-ad32be160e27 anywhere anywhere ctstate RELATED,ESTABLISHED
7 0 0 DOCKER all -- any br-ad32be160e27 anywhere anywhere
8 0 0 ACCEPT all -- br-ad32be160e27 !br-ad32be160e27 anywhere anywhere