-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Networking in bridge mode with multiple public IP Addresses #1441
Comments
These kinds of settings are covered in the docs... https://pterodactyl.io/daemon/configuration.html#custom-network-interfaces |
Yes, they are covered until MASQUERADE disable. Please have a look at the article on medium.com, or if you prefer test it yourself… It's fast to see what happens |
We aren't touching the iptables rules in any way... ever. It's to easy to overlap a rule or something. I get that docker messes with things but that is how it is. |
I'm sorry to read your answer, you admit the problem existance but you state that you're not going to fix it or even to look into it. If you can tell where these things are managed at present (daemon part), I'll try to test something from my part, and if I find a good solution I'll be pleased to share. |
Background (please complete the following information):
Describe the bug
Problem with MASQUERADE when running multiple servers on the same node with multiple Public IP Addresses.
Docker/Wings using default configuration with pterodactyl_nw
The problem is that outgoing traffic generated from inside containers, always goes out using the primary IP Address, instead of using the assigned IP Address cause of docker iptables MASQUERADE.
Incoming traffic is OK because DNAT rules are applied correctly.
The only solution (partial solution) I've found, is to:
Server 1: iptables -t nat -A POSTROUTING -s 172.18.0.2 ! -o pterodactyl_nw -j SNAT --to-source 1.1.1.1
Server 2: iptables -t nat -A POSTROUTING -s 172.18.0.3 ! -o pterodactyl_nw -j SNAT --to-source 2.2.2.2
Panel: PHP 7.2.14-1+0
20190113100742.14+stretch1.gbpd83c69 (cli) (built: Jan 13 2019 10:07:43) ( NTS )Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.14-1+0
20190113100742.14+stretch1.gbpd83c69, Copyright (c) 1999-2018, by Zend TechnologiesDaemon:
Linux node01 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The correct result should be 1.1.1.1 on container_id_1 and 2.2.2.2 on container_id_2 but cause of MASQUERADE the result is 1.1.1.1 in both cases.
The correction is to manage SNAT rules directly with the daemon instead of using masquerade.
A full description can be found here: https://medium.com/@havloujian.joachim/advanced-docker-networking-outgoing-ip-921fc3090b09
This is why some Source games are not working when not in host mode. Fixing that also fixes the issue with these Source games by mantaining the docker network layer security.
Thx for your time :-)
The text was updated successfully, but these errors were encountered: