Packets not replying from Docker to OpenVPN Tun0

networking internet openvpn iptables iproute2

fasoessp 2019-08-20 02:15:56 ‧ 1595 瀏覽

分享至

我一個朋友遇到的問題希望各位大神可以幫忙解答
原文章連結: https://superuser.com/questions/1472967/packets-not-replying-from-docker-to-openvpn-tun0
以下是文章的內容

I have 2 server, lets say server A and server B. Server A have OpenVPN installed and Server B have a web application running in port 80.

Server A

WANIP 1.2.3.4/32
OpenVPN 172.16.0.0/24, 172.16.0.1 gateway

Server B

OpenVPN Client 172.16.0.121, ens160 192.168.0.121(nated)

On Server A

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.0.121:80
sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 1.2.3.4

On Server B

echo '100 VPN' >> /etc/iproute2/rt_tables
ip rule add from 172.16.0.0/24 table VPN
ip route add default via 172.16.0.1 table VPN

By using these rules, I can easily forward port 80 from Server A to Server B via OpenVPN. The questions comes when I run a web server docker on Server B, on port 80 with default docker iptables configuration forwarded 0.0.0.0 dport 80 to internal docker ip 172.18.0.2 on port 80, the traffic that goes in from Server A WAN IP does not get a reply from Server B VPN client IP, in this case which is 172.16.0.121, however it gets reply from ens160 ip (192.168.0.121:80). Below are the iptables result with docker

Server A are with same configuration as above.

Server B Iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:80
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.18.0.0/16        anywhere
MASQUERADE  tcp  --  172.18.0.2           172.18.0.2           tcp dpt:80
MASQUERADE  udp  --  172.18.0.2           172.18.0.2           udp dpt:80

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:80 to:172.18.0.2:80
DNAT       udp  --  anywhere             anywhere             udp dpt:80 to:172.18.0.2:80

Iproute List

default via 192.168.0.1 dev ens160 proto static
172.16.0.0/24 dev tun0 proto kernel scope link src 172.16.0.121
172.18.0.0/16 dev docker0 proto kernel scope link src 172.18.0.1
192.168.0.0/24 dev ens160 proto kernel scope link src 192.168.0.121

Iprule List

0:      from all lookup local
32763:  from 172.16.0.0/24 lookup VPN
32766:  from all lookup main
32767:  from all lookup default
Docker Ports from docker ps

PORTS
0.0.0.0:80->80/tcp, 0.0.0.0:80->80/udp

After I run tcptrack it show that SYN-SENT to 172.16.0.121 but never get a reply from there. After trying a day tampering with iptables but no luck and still scratching my head. :(

Any help are welcome and much appreciated, have a nice day!