If docker, upon ones host, has a user defined network, 172.18.0.0/16, with a default gateway, 172.18.0.1 (Which I understand to be the host itself), hosts ones upstream services. Surely it routes all of it's traffic via the host ? If so then how can one direct the packets from the docker network to NginX, which acts as a reverse-proxy (c.f. Nginx:IP transparency) ?
Previously I had asked which method was the best for proxying Docker via the host. I've settled upon the method described here under Method 1: IP transparency but steps 3 and 4 in the subsection, Configuring NGINX Plus and Your Upstreams for IP Transparency confuse me somewhat. I'm trying to adapt this example for my use case which is a docker network operating within a host machine rather then a set of machines operating alongside one another within the same network.
Step 3 : Describes how the default gateway of some upstream servers on the same local network as the proxy, facing the internet, should use the proxy as the gateway instead of the default one assigned by the router. Docker, however, is run within the host and the default gateway for a user network must surely be the host itself. I get the impression I can simply skip this step.
Step 4 : Provides the instructions to redirect the packets arriving on a given interface (The network with all the machines) to NginX by configuring both IPTables and IPRoute2. Again I'm not sure how to implement this. I have gone through the commands they use and it appears that they use IPTables to mark the packets coming from the local network, where the upstream servers reside.
iptables -t mangle -A PREROUTING -p tcp -s 172.16.0.0/28 --sport 80 -j MARK --set-xmark 0x1/0xffffffff
Then they use IPRoute2 to direct any packets with a mark to table 100
ip rule add fwmark 1 lookup 100
100 then, it seems, redirect all traffic to the loop back device.
ip route add local 0.0.0.0/0 dev lo table 100
Again is I'm not sure if this necessary for a docker network within a host machine. My understanding is that all the packets already seem to arrive on the loopback device since this is where docker itself is hosting the network. Why is it necessary to send this traffic back through the loopback device
lo anyhows ?