Routing between Docker and the Host

by Carel   Last Updated January 03, 2018 08:00 AM

Question

If docker, upon ones host, has a user defined network, 172.18.0.0/16, with a default gateway, 172.18.0.1 (Which I understand to be the host itself), hosts ones upstream services. Surely it routes all of it's traffic via the host ? If so then how can one direct the packets from the docker network to NginX, which acts as a reverse-proxy (c.f. Nginx:IP transparency) ?

Background

Previously I had asked which method was the best for proxying Docker via the host. I've settled upon the method described here under Method 1: IP transparency but steps 3 and 4 in the subsection, Configuring NGINX Plus and Your Upstreams for IP Transparency confuse me somewhat. I'm trying to adapt this example for my use case which is a docker network operating within a host machine rather then a set of machines operating alongside one another within the same network.

Step 3 : Describes how the default gateway of some upstream servers on the same local network as the proxy, facing the internet, should use the proxy as the gateway instead of the default one assigned by the router. Docker, however, is run within the host and the default gateway for a user network must surely be the host itself. I get the impression I can simply skip this step.

Step 4 : Provides the instructions to redirect the packets arriving on a given interface (The network with all the machines) to NginX by configuring both IPTables and IPRoute2. Again I'm not sure how to implement this. I have gone through the commands they use and it appears that they use IPTables to mark the packets coming from the local network, where the upstream servers reside.

iptables -t mangle -A PREROUTING -p tcp -s 172.16.0.0/28 --sport 80 -j MARK --set-xmark 0x1/0xffffffff

Then they use IPRoute2 to direct any packets with a mark to table 100

ip rule add fwmark 1 lookup 100

Table 100 then, it seems, redirect all traffic to the loop back device.

ip route add local 0.0.0.0/0 dev lo table 100

Again is I'm not sure if this necessary for a docker network within a host machine. My understanding is that all the packets already seem to arrive on the loopback device since this is where docker itself is hosting the network. Why is it necessary to send this traffic back through the loopback device lo anyhows ?



Related Questions


Docker Nginx reverse proxy configuration

Updated May 08, 2018 23:00 PM

Docker reverse proxy incorrect host redirect

Updated April 05, 2018 14:00 PM

Docker compose doesn't get picked up by reverse proxy

Updated October 11, 2016 10:00 AM


nginx reverse proxy for Docker 1.13 "Swarm Mode" cluster

Updated September 02, 2017 00:00 AM