Network binding, docker and iptables port mirroring

I’m having no luck getting port 67 traffic redirected to port 6767. On my server, I’m running openhab 2.4 inside docker, and I’m running dhcpd on the host OS. No matter what I try, I can’t get port 67 traffic to get TEE’d to port 6767. Does anyone have any magic settings other than what’s documented on the network binding page? Those settings do not work for me for some reason. I appreciate any and all help. This is really driving me crazy. I can happily provide more info if someone can help out. I don’t know what info to start providing though.

First, are you using the recommended settings as documented on dockerhub for the container, mainly --net=host? Without that I doubt that the changes to IP tables would apply to the container because without that option the container will be on a completely different network internal to Docker.

When you run sudo iptables -L do you see those two rules the binding readme has you add?

I am running in host network mode. At this point, I’m just trying to use tcpdump to see the packets on 6767, and I don’t see them yet. I do see the rules in iptables. The mangle table has a packet count that just skyrockets after the first packet that hits it, but the nat table rule never sees any packets at all.

Here’s my docker-compose file:

version: ‘3.0’

services:
openhab:
container_name: openhab
image: “openhab/openhab:latest-alpine”
restart: always
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
ports:
- “8081:8081”
- “8443:8443”
- “5007:5007”
- “6767:6767/udp”
- “45530:45530/udp”
- “45786:45786/udp”
- “55985:55985/udp”
- “55986:55986/udp”
volumes:
- “/etc/localtime:/etc/localtime:ro”
- “/etc/timezone:/etc/timezone:ro”
- “./openhab_addons:/openhab/addons”
- “./openhab_conf:/openhab/conf”
- “./openhab_userdata:/openhab/userdata”
- “./etc/init.d:/etc/cont-init.d”
environment:
OPENHAB_HTTP_PORT: “8081”
OPENHAB_HTTPS_PORT: “8443”
USER_ID: “1000”
GROUP_ID: “100”
EXTRA_JAVA_OPTS: “-Duser.timezone=US/Central”
healthcheck:
test: “curl --connect-timeout 5 --silent -f http://192.168.0.24:8081/ || exit 1”
interval: 45s
timeout: 30s
retries: 3

If you don’t see your iptable rules than you’ve failed to set up the firewall correctly. You will not find the kind of support you need on this forum I suspect. You need to go to Linux/iptables specific forums for your host operating system to get good support on this. Iptables is a skill and an art unto itself and you will find very few experts here.

Ok, thanks. I do see the rules in iptables, just not the flow of packets I expect to see.

If I understand correctly, you want UDP traffic arriving on port 67 on the host to be duplicated to port 6767 which is exposed by the container?

A few basic questions to start with (sorry, if this all too obvious for you):

  1. Is there only one network interface on the host?
  2. What does the iptables entry look like?
  3. What does netstat tell about ports listened on?
  4. Have you defined a network in docker (I guess not, but just to be sure)?
  5. Do I understsnd correctly that the packet count stays zero for the rule?

There’s only one physical network interface, but it is attached to a bridge (br0). I originally did this for LXC but I’m not sure I still need it. Here’s the ifconfig: (It’s messy)

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.0.24 netmask 255.255.255.0 broadcast 192.168.0.255
ether 76:58:ac:0c:9b:3c txqueuelen 1000 (Ethernet)
RX packets 3086583 bytes 3497668365 (3.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4149922 bytes 2432432300 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

br-3015e7b354db: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.32.1 netmask 255.255.240.0 broadcast 192.168.47.255
ether 02:42:21:0c:ef:d1 txqueuelen 0 (Ethernet)
RX packets 219 bytes 289400 (282.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85043 bytes 5008759 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

br-8b60d491c1f8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.48.1 netmask 255.255.240.0 broadcast 192.168.63.255
ether 02:42:1a:dc:bd:bc txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84761 bytes 4946933 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:53:ec:97:54 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35 bytes 3831 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

docker_gwbridge: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255
ether 02:42:40:39:91:dc txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84749 bytes 4943932 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d4:3d:7e:f3:21:66 txqueuelen 1000 (Ethernet)
RX packets 4706084 bytes 3648578376 (3.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4150749 bytes 2434290637 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 349579 bytes 69430481 (66.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 349579 bytes 69430481 (66.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethb5f1b77: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether ae:95:c0:97:f6:79 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85573 bytes 4971460 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethdba650d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 92:6f:a2:5e:c1:c7 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85585 bytes 4974461 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethf3634a8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 6a:71:78:68:ce:09 txqueuelen 0 (Ethernet)
RX packets 1162 bytes 1079339 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 87008 bytes 5824087 (5.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethf6cc792: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 72:d2:a0:4d:0f:f4 txqueuelen 0 (Ethernet)
RX packets 1640 bytes 1142869 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 87028 bytes 6115556 (5.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Here’s iptables main table:

Chain INPUT (policy ACCEPT 3265K packets, 3461M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3062 2241K DOCKER-USER all – * * 0.0.0.0/0 0.0.0.0/0
3062 2241K DOCKER-ISOLATION-STAGE-1 all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * docker_gwbridge 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all – * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
2773 1947K ACCEPT all – * br-3015e7b354db 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
78 4680 DOCKER all – * br-3015e7b354db 0.0.0.0/0 0.0.0.0/0
211 289K ACCEPT all – br-3015e7b354db !br-3015e7b354db 0.0.0.0/0 0.0.0.0/0
53 3180 ACCEPT all – br-3015e7b354db br-3015e7b354db 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all – * br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – br-8b60d491c1f8 !br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – br-8b60d491c1f8 br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3034K packets, 2368M bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
25 1500 ACCEPT tcp – !br-3015e7b354db br-3015e7b354db 0.0.0.0/0 192.168.32.3 tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all – docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
211 289K DOCKER-ISOLATION-STAGE-2 all – br-3015e7b354db !br-3015e7b354db 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all – br-8b60d491c1f8 !br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0
3062 2241K RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * br-3015e7b354db 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * br-8b60d491c1f8 0.0.0.0/0 0.0.0.0/0
211 289K RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3062 2241K RETURN all – * * 0.0.0.0/0 0.0.0.0/0

When I put the rules in, they appear in the mangle and nat tables. But as soon as a packet destinated for port 67 hits the server, the packet count for the rule in the mangle table starts skyrocketing while the packet count for the rule in the nat table stays at zero.

netstat does not show the pots listening, but the container is in host networking mode and besides, I’m just trying to see the packets via tcpdump and I’m not.

I DID get this to work on a base ubuntu machine, no docker, no lxc, no bridges. So I know the rules work. But I even tried flushing every single chain in iptables on the machine I need it on and it still wouldn’t work. That’s got me thinking it has something to do with br0 and the way it is set up.

The output is a bit hard to read without code fences (please use code fences :smiley:), but I think your network config can use some cleaning up. The combination of the bridge config and docker config makes it harder to setup a proper iptables config as well.

I suggest to simplify the network setup first. And did you also check the routing table?

Did you try removing these ports? If you use host networking there should be no need for this kind of configuration.

Ok, let’s try again. I removed the br0 bridge (I really thought that was the issue). I’m running about 5 docker containers so that’s the reason for all of the veth and br interfaces. The intent is to just get packets on port 67 from the eth0 interface to be duplicated on to port 6767 because my dhcp server is also running on this machine. So it needs to listen to port 67 as well as openhab listening on 6767.

/proc/sys/net/ipv4/ip_forward is set to 1.

ifconfig:

br-3015e7b354db: flags=4163  mtu 1500
        inet 192.168.32.1  netmask 255.255.240.0  broadcast 192.168.47.255
        ether 02:42:67:90:85:6d  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 171  bytes 12968 (12.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br-8b60d491c1f8: flags=4163  mtu 1500
        inet 192.168.48.1  netmask 255.255.240.0  broadcast 192.168.63.255
        ether 02:42:6b:11:d5:d5  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 169  bytes 12575 (12.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:48:c8:b4:68  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker_gwbridge: flags=4163  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
        ether 02:42:03:8b:ce:f0  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 163  bytes 11719 (11.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 192.168.0.24  netmask 255.255.255.0  broadcast 192.168.0.255
        ether d4:3d:7e:f3:21:66  txqueuelen 1000  (Ethernet)
        RX packets 3978  bytes 2809275 (2.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2921  bytes 617239 (602.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1023  bytes 189099 (184.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1023  bytes 189099 (184.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth3697022: flags=4163  mtu 1500
        ether 2a:5d:81:51:2e:da  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 181  bytes 13726 (13.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth011a54d: flags=4163  mtu 1500
        ether d2:eb:63:ab:68:b0  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 173  bytes 12477 (12.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth6f1a42a: flags=4163  mtu 1500
        ether 06:f5:71:c5:ec:aa  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 178  bytes 13460 (13.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth809aff8: flags=4163  mtu 1500
        ether ea:17:21:01:20:2f  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 180  bytes 13403 (13.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

iptables -t filter:

Chain INPUT (policy ACCEPT 5427 packets, 3305K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8b60d491c1f8 !br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8b60d491c1f8 br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-3015e7b354db  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-3015e7b354db  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3015e7b354db !br-3015e7b354db  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-3015e7b354db br-3015e7b354db  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5927 packets, 1592K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-3015e7b354db br-3015e7b354db  0.0.0.0/0            192.168.32.3         tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-8b60d491c1f8 !br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-3015e7b354db !br-3015e7b354db  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-8b60d491c1f8  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-3015e7b354db  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

iptables -t nat:

Chain PREROUTING (policy ACCEPT 87 packets, 8917 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   74  7019 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 87 packets, 8917 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 504 packets, 36337 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   32  1926 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 504 packets, 36337 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-8b60d491c1f8  192.168.48.0/20      0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker_gwbridge  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-3015e7b354db  192.168.32.0/20      0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       192.168.32.3         192.168.32.3         tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-8b60d491c1f8 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-3015e7b354db *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-3015e7b354db *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086 to:192.168.32.3:80

iptables -t mangle:

Chain PREROUTING (policy ACCEPT 10497 packets, 4303K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 10496 packets, 4303K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 11402 packets, 3304K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 11630 packets, 3332K bytes)
 pkts bytes target     prot opt in     out     source               destination         

route table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         bob             0.0.0.0         UG    2      0        0 eth0
loopback        scooby.mdabbs. 255.0.0.0       UG    0      0        0 lo
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker_gwbridge
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.32.0    0.0.0.0         255.255.240.0   U     0      0        0 br-3015e7b354db
192.168.48.0    0.0.0.0         255.255.240.0   U     0      0        0 br-8b60d491c1f8

I know the port specs probably aren’t needed, but I don’t think its of any concern just yet. I’m yet unable to even duplicate the port 67 traffic on to port 6767.

Here’s a cleaner version: no containers running and the iptables rules in place. I changed the first rule because matching on ! -s 127.0.0.1 just causes packets to be tee’d recursively. And the second rule I forwarded to 6868.

ifconfig:

docker0: flags=4099  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:48:c8:b4:68  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker_gwbridge: flags=4163  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
        ether 02:42:03:8b:ce:f0  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4654  bytes 276291 (269.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 192.168.0.24  netmask 255.255.255.0  broadcast 192.168.0.255
        ether d4:3d:7e:f3:21:66  txqueuelen 1000  (Ethernet)
        RX packets 62017  bytes 63971403 (61.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48699  bytes 9085962 (8.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 9571  bytes 3220810 (3.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9571  bytes 3220810 (3.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth011a54d: flags=4163  mtu 1500
        ether d2:eb:63:ab:68:b0  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4681  bytes 277745 (271.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

iptables -t nat

iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 11 packets, 665 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  441 36004 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 11 packets, 665 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  100  6103 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
    0     0 DNAT       udp  --  *      *       127.0.0.1            0.0.0.0/0            udp dpt:67 to:127.0.0.1:6868

Chain POSTROUTING (policy ACCEPT 3 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker_gwbridge  172.19.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0  

iptables -t mangle

Chain PREROUTING (policy ACCEPT 717 packets, 70304 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TEE        udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 TEE gw:127.0.0.1

Chain INPUT (policy ACCEPT 717 packets, 70304 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 711 packets, 83429 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 711 packets, 83429 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Here’s the output when I do a DHCP request:

tcpdump -n -nn -i any port 6868 or port 67
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
03:12:00.690697 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 48:88:ca:36:46:7a, length 304
03:12:00.690734 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 48:88:ca:36:46:7a, length 304
03:12:00.719840 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 48:88:ca:36:46:7a, length 316
03:12:00.719872 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 48:88:ca:36:46:7a, length 316
^C
4 packets captured
7 packets received by filter
0 packets dropped by kernel

Hi all,
I’m new here and I have the same issue.
I want to run openhab and PiHole with Docker on the same Pi.
So i have to duplicate the traffic becasue PiHole also needs port 67

I’m using Openhab v 2.4 and Networks Binding 2.5

“org.openhab.binding.network-2.5.0_c”

I tried the iptable functions but it’s not working for me.

I always get the Message:

dhcp_state : …Prot forwarding neccessary!

So … heres my Config:

Docker Compose:

version: “2.2”
services:
openhab:
container_name: openhab2
image: “openhab/openhab:latest”
restart: always
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- “/etc/localtime:/etc/localtime:ro”
- “/etc/timezone:/etc/timezone:ro”
- “./addons:/openhab/addons”
- “./conf:/openhab/conf”
- “./userdata:/openhab/userdata”

sudo netstat -tulpen | grep 6767

Proto Recv-Q Send-Q Local Address Foreign Address State Benutzer Inode PID/Program name
udp 0 0 0.0.0.0:6767 0.0.0.0:* 9001 1101189 18923/java

sudo sysctl -p

net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1

sudo iptables -t nat -L

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
DNAT udp – localhost anywhere udp dpt:bootps to:127.0.0.1:6767

sudo iptables -t mangle -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TEE udp – !localhost anywhere udp dpt:bootps TEE gw:localhost

sudo iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp dpt:6767

Well, I’m convinced there’s just no way to do this with ubuntu’s kernel and iptables. I’ve been racking my brain for a week and cannot get the cloned packet to hit the nat OUTPUT chain. I’ve looked into ip_forward and route_localnet options. I’ve tried adding a dummy0 interface, just about everything I can think of. The cloned packet appears on lo, it hits nat PREROUTING and then disappears. I’ve tried tracing it with the raw table and kernel log and it just disappears.

If someone has a working system, could use please post the iptables rules and ip_forward and route_localnet options? I’m starting to think I need to run openhab on a server other than than one my dhcp server is running on, which is a very last resort for me.

I would revert back to bridge setup where all vm:s have their own ethernet interface. After that look into ebtables. You can do all sorts of things with bridge. For example in my router I have blocked everything except http and https ports under ipv6 on one physical device. So only my servers nginx service is open to the public.

Hallo,
for me it’s working with macvlan.
Container get own IP in my subnet not the Docker subnet.

And last but not least the container have to run as root.
So it’s using DHCP without problems

command: “tini -s ./start.sh server”