{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《Why I get the gateway IP as source address in Dock》','https://www.manongdao.com/q-605248.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm originally doing some composition with Docker bridge network, and noticed that instead of the whitelisted local IP, the requests are always sent from the gateway IP.
To reproduce it with minimal effort, I used two Python containers to run a HTTP server and client:
docker run -it --rm python:alpine sh
On the server side:
python -m http.server
On the client side:
wget 172.17.0.3:8000
Expected output, is that the request comes from the container IP:
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.17.0.2 - - [time] "GET / HTTP/1.1" 200 -
Actual output, which the request comes from the bridge gateway IP:
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
172.17.0.1 - - [time] "GET / HTTP/1.1" 200 -
However, when I ran the same test on my laptop, I get the expected behavior (container IP). The problem only seems to happen on my server.
What can result in such behavior? Is is some sort of sysctl or iptables problem?
I have found the cause, which is an ancient
iptables-saveentry. It was hard to notice asiptables -nvLdoesn't show NAT rules by default.After removing them from
/etc/iptables/rules.v4, everything worked as intended.