Develop Reference

Iptables block access docker container from host

I have iptables rules that blocking access to DOCKER Container from host (accessing from outside network is working fine), most of these rules is writen by my ex-coworking so basically i have no experience on writing iptables rules
could someone help me with some advice of which line of the rules should I edit/remove/add so I can simply CURL my DOCKER Container from host
here is my iptables rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N cphulk
-N dynamic
-N loc-fw
-N loc_frwd
-N logdrop
-N logflags
-N logreject
-N net-fw
-N net-loc
-N net_frwd
-N reject
-N sha-lh-f039fe5b47b48a558b61
-N sha-rh-5f1a9db64e7d114e7d5b
-N shorewall
-N smurflog
-N smurfs
-N tcpflags
-A INPUT -j cphulk
-A INPUT -i eth0 -j net-fw
-A INPUT -i eth1 -j loc-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6
-A INPUT -g reject
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -j DOCKER
-A FORWARD -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -i br-d7d9cacee34d -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -j DOCKER
-A FORWARD -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i br-72d36b8824e3 -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i eth0 -j net_frwd
-A FORWARD -i eth1 -j loc_frwd
-A FORWARD -m addrtype --dst-type BROADCAST -j DROP
-A FORWARD -m addrtype --dst-type ANYCAST -j DROP
-A FORWARD -m addrtype --dst-type MULTICAST -j DROP
-A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6
-A FORWARD -g reject
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d7d9cacee34d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-72d36b8824e3 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:20:09 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:39:50 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:17 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:18 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:13:35 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T23:25:36 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:53 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:54 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T03:21:43 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T07:59:55 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T15:33:49 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T16:09:47 -j DROP
-A loc-fw -j dynamic
-A loc-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc-fw -p tcp -j tcpflags
-A loc-fw -j ACCEPT
-A loc_frwd -j dynamic
-A loc_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc_frwd -p tcp -j tcpflags
-A loc_frwd -o eth0 -j ACCEPT
-A logdrop -j DROP
-A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -j dynamic
-A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net-fw -p tcp -j tcpflags
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 22,53,80,443,10000,3306,5500,2087,2083,21,110,995,993,25,465 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 587,2096,5432,8080 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 8181 -j ACCEPT
-A net-fw -p udp -m udp --dport 53 -j ACCEPT
-A net-fw -m addrtype --dst-type BROADCAST -j DROP
-A net-fw -m addrtype --dst-type ANYCAST -j DROP
-A net-fw -m addrtype --dst-type MULTICAST -j DROP
-A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-loc -m addrtype --dst-type BROADCAST -j DROP
-A net-loc -m addrtype --dst-type ANYCAST -j DROP
-A net-loc -m addrtype --dst-type MULTICAST -j DROP
-A net-loc -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-loc DROP " --log-level 6
-A net-loc -j DROPn
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "smurfs DROP " --log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
Thank you

Blocking YouTube videos with iptables

I'm trying to find a way to block YouTube video playback on my kid's Ubuntu computer. I created a shell script to get Youtube IPs and add them to iptables for incoming packets to be dropped. To do so I grab IPs with whois -h whois.radb.net -- '-i origin AS15169'
The problem is that I not only get YouTube IPs, but all Google IPs. Thus, blocking them also blocks access to other Google services, among them Google Search, Google Drive, Google Mail, etc.
I added a few exceptions too, with a domain whitelist, but this remains not enough.
Here is the shell script:
#!/bin/bash
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
function block_ips() {
for THIS_IP in $1; do
# IPv4 range
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
echo "Blocking $THIS_IP"
$IPTABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv4
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Blocking $THIS_IP"
$IPTABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv6 range
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
echo "Blocking $THIS_IP"
$IP6TABLES -A funban -s $THIS_IP -j fundrop
fi
# IPv6
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}$ ]]; then
echo "Blocking $THIS_IP"
$IP6TABLES -A funban -s $THIS_IP -j fundrop
fi
done
}
function accept_ips() {
for THIS_IP in $1; do
# IPv4 range
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+$ ]]; then
echo "Allowing $THIS_IP"
errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IPTABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv4
if [[ $THIS_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
errormessage=$(${IPTABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IPTABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv6 range
if [[ $THIS_IP =~ ^([0-9A-Fa-f]{0,4}:){0,7}[0-9A-Fa-f]{0,4}\/[0-9]{1,3}$ ]]; then
errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IP6TABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
# IPv6
if [[ $THIS_IP =~ ^[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}$ ]]; then
errormessage=$(${IP6TABLES} -C funban -s $THIS_IP -j ACCEPT 2>&1)
if [[ $errormessage =~ 'Bad rule' ]]; then
echo " Added $THIS_IP"
$IP6TABLES -I funban -s $THIS_IP -j ACCEPT
fi
fi
done
}
function get_ip4() {
echo "$(dig ${1} A | grep -E '^[^;]' | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')"
}
function get_ip6() {
echo "$(dig ${1} AAAA | grep -E '^[^;]' | grep -o -E '[0-9A-Fa-f]{0,4}:([0-9A-Fa-f]{0,4}:){0,6}[0-9A-Fa-f]{0,4}')"
}
errormessage=$(${IPTABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create funban (IPv4)"
$IPTABLES -N funban
fi
errormessage=$(${IP6TABLES} -n -L funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create funban (IPv6)"
$IP6TABLES -N funban
fi
errormessage=$(${IPTABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create fundrop (IPv4)"
$IPTABLES -N fundrop
$IPTABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A fundrop -j DROP
fi
errormessage=$(${IP6TABLES} -L fundrop 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Create fundrop (IPv6)"
$IP6TABLES -N fundrop
$IP6TABLES -A fundrop -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IP6TABLES -A fundrop -j DROP
fi
errormessage=$(${IPTABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Filter IPv4"
$IPTABLES -A INPUT -j funban
fi
errormessage=$(${IP6TABLES} -C INPUT -j funban 2>&1)
if [[ $errormessage =~ 'No chain/target/match by that name' ]]; then
echo "Filter IPv6"
$IP6TABLES -A INPUT -j funban
fi
# Flush funban chain
$IPTABLES -F funban
$IP6TABLES -F funban
# Block all Google-related IPs. The "AS15169" is taken from
# http://networktools.nl/asinfo/google.com
# Add these IPs to make google search to work (NOTE: This is not sufficient and blocks Google searches)
block_ips "$(whois -h whois.radb.net -- '-i origin AS15169' | grep -E '^route6?\:')"
while read domain; do
echo "Whitelisting $domain"
accept_ips $(get_ip4 $domain)
accept_ips $(get_ip6 $domain)
done <whitelist.txt
I am trying to find another robust solution, based on iptables (my kid is clever enough to circumvent hosts blocking, for example).
I though about mDPI netfilter but it seems it's no longer available as an iptables module in Ubuntu 20.04.
$ iptables -mndpi –help
iptables v1.8.4 (legacy): Couldn't load match `ndip':No such file or directory
Any idea?

How to list exposed port of all containers?

We have lots of containers started using Rancher with each container exposing multiple ports. Since we started the containers with Rancher, no port is exposed to the host by default.
$ docker container ls
shows no exposed ports for containers started by rancher. Rancher CLI rancheris not installed.
How to list ports which are exposed within the rancher network? Is this possible using the docker command? Or do I need rancher?

for show ports on one host you can try to use
docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a
more examples you can find here docker-container-ls by manpages.ubuntu.com

Rancher doesn't use docker paradigm for exposing ports, hence the information is not available using any of the docker command.
The ports are exposed on the host using custom iptables rules.
iptables-save | grep "\-A CATTLE_HOSTPORTS_POSTROUTING"
Though not pretty, the above command gives you a list of all rules related to exposed ports.

You can use the following command to see Rancher's exposed ports so that it will show you the port number highlighted. However, it will not demonstrate to you which container exactly exposed which of the ports. Anyway, you will be able to deduce it by the name, using the "comments" section like "ingress-nginx/default-http-backend cluster IP":
iptables-save | grep -P "(--to-destination|--.port)" | grep -v "DROP" | grep -P ":\d+|--dport \d+"
With the above command, you will see the output like the following:
-A KUBE-SEP-2ICPNCS4ZCJFOURG -p tcp -m comment --comment "ingress-nginx/default-http-backend" -m tcp -j DNAT --to-destination 10.42.1.3:8080
-A KUBE-SEP-7KPAUC7DBZEOGEJO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.42.0.6:53
-A KUBE-SEP-F4W6KYXNUTEPM6IK -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.42.1.2:9153
-A KUBE-SEP-J7ZDRJF2PSY5XJQS -p tcp -m comment --comment "kube-system/metrics-server:https" -m tcp -j DNAT --to-destination 10.42.0.5:4443
-A KUBE-SEP-KAJYD2TZYV7IYC6H -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.42.1.2:53
-A KUBE-SEP-LJF33VEROEJBDKWI -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.42.1.2:53
-A KUBE-SEP-PK2JJP3XEEJW3OPW -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.42.0.6:9153
-A KUBE-SEP-QMNQ4GQ2JI3QXI4N -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.42.0.6:53
-A KUBE-SEP-U5JKF7K4YNNYXQDU -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 138.201.139.162:6443
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-Z4ANX4WAEWEBLCTM
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-SVC-JTFAIQOSQRKTQWS3
Therefore, you will see that multiple containers handle ports 80 and 443. You will not see the container names, but you will see their IP addresses, so you will be able to run docker inspect and find mathces. To see precisely who listens on certain ports, e.g 80 and 443, append one more grep to the command:
iptables-save | grep -P "(--to-destination|--.port)" | grep -v "DROP" | grep -P ":\d+|--dport \d+"|grep -P "\b(443|80)\b"
Therefore, you will see:
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.203.205/32 -p tcp -m comment --comment "kube-system/metrics-server:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-Z4ANX4WAEWEBLCTM
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.158.90/32 -p tcp -m comment --comment "ingress-nginx/default-http-backend cluster IP" -m tcp --dport 80 -j KUBE-SVC-JTFAIQOSQRKTQWS3
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y

how to config nginx link to docker container?

need help,spend more than 30 hours...realy need help...thanks
system:centos 7
i have nginx and docker container (ps:gitlab),i have problem with connection with nginx - docker container(gitlab),i get nothing when use git.xxx.com:8800 try to connect,i think is problem with configuration, here is my config:
docker container(gitlab):
sudo docker run -d \
--hostname git.xxx.com \
--publish 127.0.0.1:8800:80 \
--publish 127.0.0.1:23:22 \
--name gitlab \
--memory 4gb \
--cpus 2 \
--restart always \
--volume /Volumes/docker_gitlab/config:/etc/gitlab \
--volume /Volumes/docker_gitlab/logs:/var/log/gitlab \
--volume /Volumes/docker_gitlab/data:/var/opt/gitlab \
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.xxx.com:8800'; gitlab_rails['gitlab_shell_ssh_port']=23;" \
gitlab/gitlab-ce:latest
nginx:
server {
listen *:8800;
server_name git.xxx.com;
location / {
proxy_pass http://172.17.0.2:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
iptables -s:
[root#localhost ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
try to test the url connection in centos:
curl -vvv 'http://127.0.0.1:8800'
* About to connect() to 127.0.0.1 port 8800 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8800 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8800
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
just done ! Update,when you use docker run.. docker will write iptables rule to the /etc/sysconfig/iptables,so dont need to write rule manualy
docker container(gitlab):
sudo docker run -d \
--hostname git.xxx.com \
--publish 30000:30000 \
--publish 30001:22 \
--name gitlab \
--memory 4gb \
--cpus 2 \
--restart always \
--volume /Volumes/docker_gitlab/config:/etc/gitlab \
--volume /Volumes/docker_gitlab/logs:/var/log/gitlab \
--volume /Volumes/docker_gitlab/data:/var/opt/gitlab \
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.xxx.com:30000'; gitlab_rails['gitlab_shell_ssh_port']=30001;" \
gitlab/gitlab-ce:latest
nginx: dont need to change anything

How to make Docker container see real user IP?

The problem
Inside nginx-proxy Docker container (more info below), I always see the same IP adress for every connection: 172.18.0.1 (which is the nginx-proxy network gateway). For example:
nginx.1 | www.my-site.tld 172.18.0.1 - - [28/Nov/2017:17:22:21 +0000] "GET /some/path HTTP/2.0" 200 46576 "https://www.my-site.tld/some/path" "Mozilla/5.0 (Linux; Android 4.4.2; PSP5507DUO Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 YaBrowser/17.10.0.446.00 Mobile Safari/537.36"
No matter if I make requests from the external network, of from the local machine, or even from the server (host) itself, the IP address is always 172.18.0.1.
What I need is to see the real client IP.
Attempts to fix
I have googled a lot, and tried different solutions, but none worked for me. I tried the following:
disabling firewalld (nothing works at all in that case, of course,
iptables are empty);
using --userland-proxy=false (no luck);
using --net=host (not a solution at all, and does not work, too).
Related links:
https://github.com/jwilder/nginx-proxy/issues/130
https://github.com/jwilder/nginx-proxy/issues/133
So, any ideas? Seems to be either iptables routing issues or internal Docker bug. Anyway, it is for sure related to Docker, because the following displays correct remote user IP:
[root#server]# nc -lv 12345
[user#remote-client]$ nc -vz MY.IP.ADDRESS.HERE 12345
Very weird!
Now I'm going to provide full information about the system, so please be patient. :)
Basic
I have Centos 7.4 and Docker installed:
# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
# uname -r
3.10.0-693.5.2.el7.x86_64
# docker version
Client:
Version: 17.09.0-ce
API version: 1.32
Go version: go1.8.3
Git commit: afdb6d4
Built: Tue Sep 26 22:41:23 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.0-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: afdb6d4
Built: Tue Sep 26 22:42:49 2017
OS/Arch: linux/amd64
Experimental: false
firewalld is used as a firewall.
Network configuration
Interfaces
There are three physical interfaces:
# ifconfig | grep -A 7 enp
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1ad6:c7ff:fe00:fc98 prefixlen 64 scopeid 0x20<link>
ether 18:d6:c7:00:fc:98 txqueuelen 1000 (Ethernet)
RX packets 11530516 bytes 2220554890 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24237462 bytes 31702254967 (29.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1ad6:c7ff:fe06:ef36 prefixlen 64 scopeid 0x20<link>
ether 18:d6:c7:06:ef:36 txqueuelen 1000 (Ethernet)
RX packets 948513 bytes 143294797 (136.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2371584 bytes 3207775040 (2.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 31.172.141.111 netmask 255.255.255.128 broadcast MY.EXTERNAL.IP.HERE
inet6 fe80::127b:44ff:fe46:c2d1 prefixlen 64 scopeid 0x20<link>
ether 10:7b:44:46:c2:d1 txqueuelen 1000 (Ethernet)
RX packets 46772225 bytes 57416420859 (53.4 GiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 28814037 bytes 10943786995 (10.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
And a virtual bridge (enp1s0 and enp2s0):
# ifconfig | grep -A 7 virbr
virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::1ad6:c7ff:fe00:fc98 prefixlen 64 scopeid 0x20<link>
ether 18:d6:c7:00:fc:98 txqueuelen 1000 (Ethernet)
RX packets 11542053 bytes 2042945874 (1.9 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26586017 bytes 34919742970 (32.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Firewall zones
The enp3s0 interface is connected to the Internet (--zone=public), and virbr0 is connected to the internal local network (--zone=internal).
Forwarding and masquerading
IPv4 forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
and masquerading on public zone is configured with firewalld:
# firewall-cmd --zone=public --list-all
success
Docker configuration
Docker has default configuration.
Networking
I only created a network:
# docker network create -d bridge nginx-proxy
Here is it's configuration:
# docker network inspect nginx-proxy
[
{
"Name": "nginx-proxy",
"Id": "192821446c9a5891fd1a7e240533cefb81ba0548033acb605eea805abec83505",
"Created": "2017-11-24T14:25:10.687199435+02:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"1c563c33a45c9feabee4cb5ec3194464c66bfad1e233dedb797e269649067159": {
"Name": "nginxproxy_nginx-proxy_1",
"EndpointID": "683ceaced8eb416b485775734ca6828e9eced5ea6e3c7a76960c4eb807b521d9",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
Images and containers
I'm using jwilder/nginx-proxy image. Here is my docker-compose.yml:
version: '3'
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
labels:
- 'com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true'
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
ports:
- '80:80'
- '443:443'
networks:
nginx-proxy:
networks:
nginx-proxy:
depends_on:
- nginx-proxy
networks:
nginx-proxy:
external:
name: nginx-proxy
As you can see, nginx-proxy container is listening on ports 80 and 443 at all interfaces.
# docker ps | grep nginx-proxy
1c563c33a45c jwilder/nginx-proxy:alpine "/app/docker-entry..." 8 hours ago Up 8 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginxproxy_nginx-proxy_1
iptables
Container-related rules
Here are iptables rules related to the container:
# iptables-save | grep -e br-192821446c9a -e 172.18.0 -e '\*'
*mangle
*security
*raw
*filter
-A FORWARD -o br-192821446c9a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-192821446c9a -j DOCKER
-A FORWARD -i br-192821446c9a ! -o br-192821446c9a -j ACCEPT
-A FORWARD -i br-192821446c9a -o br-192821446c9a -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-192821446c9a -o br-192821446c9a -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-192821446c9a -o br-192821446c9a -p tcp -m tcp --dport 80 -j ACCEPT
*nat
-A POSTROUTING -s 172.18.0.0/16 ! -o br-192821446c9a -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-192821446c9a -j RETURN
-A DOCKER ! -i br-192821446c9a -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i br-192821446c9a -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
Complete iptables rules list
And here is the complete output of iptables-save:
# iptables-save
# Generated by iptables-save v1.4.21 on Tue Nov 28 19:16:31 2017
*mangle
:PREROUTING ACCEPT [9063259:7480026035]
:INPUT ACCEPT [250719:30179859]
:FORWARD ACCEPT [8795875:7445096680]
:OUTPUT ACCEPT [1078071:1430559812]
:POSTROUTING ACCEPT [9842972:8867742437]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp3s0 -g PRE_public
-A PREROUTING_ZONES -i virbr0 -g PRE_internal
-A PREROUTING_ZONES -g PRE_public
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Nov 28 19:16:31 2017
# Generated by iptables-save v1.4.21 on Tue Nov 28 19:16:31 2017
*security
:INPUT ACCEPT [207361:25027156]
:FORWARD ACCEPT [8764800:7437165960]
:OUTPUT ACCEPT [1078077:1430561824]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Nov 28 19:16:31 2017
# Generated by iptables-save v1.4.21 on Tue Nov 28 19:16:31 2017
*raw
:PREROUTING ACCEPT [9063267:7480026451]
:OUTPUT ACCEPT [1078080:1430562828]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i enp3s0 -g PRE_public
-A PREROUTING_ZONES -i virbr0 -g PRE_internal
-A PREROUTING_ZONES -g PRE_public
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Nov 28 19:16:31 2017
# Generated by iptables-save v1.4.21 on Tue Nov 28 19:16:31 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1078082:1430564354]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_internal - [0:0]
:FWDI_internal_allow - [0:0]
:FWDI_internal_deny - [0:0]
:FWDI_internal_log - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_internal - [0:0]
:FWDO_internal_allow - [0:0]
:FWDO_internal_deny - [0:0]
:FWDO_internal_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_internal - [0:0]
:IN_internal_allow - [0:0]
:IN_internal_deny - [0:0]
:IN_internal_log - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-828c38e3582b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-828c38e3582b -j DOCKER
-A FORWARD -i br-828c38e3582b ! -o br-828c38e3582b -j ACCEPT
-A FORWARD -i br-828c38e3582b -o br-828c38e3582b -j ACCEPT
-A FORWARD -o br-7cbbdaf3d8fe -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7cbbdaf3d8fe -j DOCKER
-A FORWARD -i br-7cbbdaf3d8fe ! -o br-7cbbdaf3d8fe -j ACCEPT
-A FORWARD -i br-7cbbdaf3d8fe -o br-7cbbdaf3d8fe -j ACCEPT
-A FORWARD -o br-92f8d769de0b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-92f8d769de0b -j DOCKER
-A FORWARD -i br-92f8d769de0b ! -o br-92f8d769de0b -j ACCEPT
-A FORWARD -i br-92f8d769de0b -o br-92f8d769de0b -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-6a38b645b1c7 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-6a38b645b1c7 -j DOCKER
-A FORWARD -i br-6a38b645b1c7 ! -o br-6a38b645b1c7 -j ACCEPT
-A FORWARD -i br-6a38b645b1c7 -o br-6a38b645b1c7 -j ACCEPT
-A FORWARD -o br-2d90be830c58 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-2d90be830c58 -j DOCKER
-A FORWARD -i br-2d90be830c58 ! -o br-2d90be830c58 -j ACCEPT
-A FORWARD -i br-2d90be830c58 -o br-2d90be830c58 -j ACCEPT
-A FORWARD -o br-192821446c9a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-192821446c9a -j DOCKER
-A FORWARD -i br-192821446c9a ! -o br-192821446c9a -j ACCEPT
-A FORWARD -i br-192821446c9a -o br-192821446c9a -j ACCEPT
-A FORWARD -o br-b61364bf1724 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b61364bf1724 -j DOCKER
-A FORWARD -i br-b61364bf1724 ! -o br-b61364bf1724 -j ACCEPT
-A FORWARD -i br-b61364bf1724 -o br-b61364bf1724 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A DOCKER -d 172.18.0.2/32 ! -i br-192821446c9a -o br-192821446c9a -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-192821446c9a -o br-192821446c9a -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.20.0.2/32 ! -i br-2d90be830c58 -o br-2d90be830c58 -p tcp -m tcp --dport 1194 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A FORWARD_IN_ZONES -i enp3s0 -g FWDI_public
-A FORWARD_IN_ZONES -i virbr0 -g FWDI_internal
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp3s0 -g FWDO_public
-A FORWARD_OUT_ZONES -o virbr0 -g FWDO_internal
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_internal -j FWDI_internal_log
-A FWDI_internal -j FWDI_internal_deny
-A FWDI_internal -j FWDI_internal_allow
-A FWDI_internal -p icmp -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_internal -j FWDO_internal_log
-A FWDO_internal -j FWDO_internal_deny
-A FWDO_internal -j FWDO_internal_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT
-A INPUT_ZONES -i enp3s0 -g IN_public
-A INPUT_ZONES -i virbr0 -g IN_internal
-A INPUT_ZONES -g IN_public
-A IN_internal -j IN_internal_log
-A IN_internal -j IN_internal_deny
-A IN_internal -j IN_internal_allow
-A IN_internal -p icmp -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 2049 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 20048 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 139 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 445 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 58846 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 8112 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 1194 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 1195 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Tue Nov 28 19:16:31 2017
# Generated by iptables-save v1.4.21 on Tue Nov 28 19:16:31 2017
*nat
:PREROUTING ACCEPT [118631:13941821]
:INPUT ACCEPT [6147:464301]
:OUTPUT ACCEPT [18836:1989867]
:POSTROUTING ACCEPT [2593:197858]
:DOCKER - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_internal - [0:0]
:POST_internal_allow - [0:0]
:POST_internal_deny - [0:0]
:POST_internal_log - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.101.0.0/24 ! -o br-828c38e3582b -j MASQUERADE
-A POSTROUTING -s 172.102.0.0/24 ! -o br-7cbbdaf3d8fe -j MASQUERADE
-A POSTROUTING -s 172.101.0.0/24 ! -o br-92f8d769de0b -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.102.0.0/24 ! -o br-6a38b645b1c7 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 ! -o br-2d90be830c58 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-192821446c9a -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-b61364bf1724 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 1194 -j MASQUERADE
-A DOCKER -i br-828c38e3582b -j RETURN
-A DOCKER -i br-7cbbdaf3d8fe -j RETURN
-A DOCKER -i br-92f8d769de0b -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-6a38b645b1c7 -j RETURN
-A DOCKER -i br-2d90be830c58 -j RETURN
-A DOCKER -i br-192821446c9a -j RETURN
-A DOCKER -i br-b61364bf1724 -j RETURN
-A DOCKER ! -i br-192821446c9a -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i br-192821446c9a -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
-A DOCKER ! -i br-2d90be830c58 -p tcp -m tcp --dport 1195 -j DNAT --to-destination 172.20.0.2:1194
-A POSTROUTING_ZONES -o enp3s0 -g POST_public
-A POSTROUTING_ZONES -o virbr0 -g POST_internal
-A POSTROUTING_ZONES -g POST_public
-A POST_internal -j POST_internal_log
-A POST_internal -j POST_internal_deny
-A POST_internal -j POST_internal_allow
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public_allow ! -o lo -j MASQUERADE
-A PREROUTING_ZONES -i enp3s0 -g PRE_public
-A PREROUTING_ZONES -i virbr0 -g PRE_internal
-A PREROUTING_ZONES -g PRE_public
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue Nov 28 19:16:31 2017

Finally, answering my own question.
After some research I have found that it was IP masquerading that caused Docker to recognize client addresses incorrectly.
The cause
In my case, firewalld is configured to share internet connection with other machines in local network. This is accomplished by setting zone to public for the external interface (enp3s0) and to internal for the local interfaces (enp1s0, enp2s0), and by enabling IP masquerading for outgoing packages.
And that's it. Masquerading is also applied to packages coming from public network to docker networks, as if the package was going to (another) external interface.
Solution
As far as I understand all that iptables and Docker stuff, there is one acceptable workaround: add all virtual network interfaces created by Docker to the internal zone, so masquerading rule is not applied to packages going to the corresponding networks. For example:
# firewall-cmd --permanent --zone=internal --change-interface=br-192821446c9a
To make the solution persistent, it is required to create the corresponding script in the /etc/sysconfig/network-scripts directory. For example, for the br-192821446c9a interface, a file /etc/sysconfig/network-scripts/ifcfg-br-192821446c9a should be created, with the following content:
DEVICE=br-192821446c9a
TYPE=Bridge
BOOTPROTO=none
IPADDR=172.18.0.1
PREFIX=16
DEFROUTE=yes
IPV4_DNS_PRIORITY=100
NAME=br-192821446c9a
ONBOOT=no
ZONE=internal
Hope this answer will save somebody's time.

I ran into the same issue and also tried the answer by #ololoepepe within this thread. It did not solve the issue on my Synology NAS.
The only solution which worked for me can be found on this blog post:
iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
Also related to:
https://stackoverflow.com/a/62100821/869402