dockeriptablesdocker-swarmreal-ip

Can I obtain real user ip with "iptables": false enabled?


I user "iptables": false option in docker daemon config:

/etc/docker/daemon.json:
{
  "iptables": false
}

I run service with options --publish mode=host, --mode=global similar to this approach.

But when I get X-Real-IP header in my application its value is 172.18.0.1 but not real user ip.

When I start Docker daemon without "iptables": false in /etc/docker/daemon.json all works fine and I get real user ip.

But I need to set "iptables": false to preserve iptables changes with Docker.

Is it possible to get real user ip with "iptables": false in Docker daemon configuration?


Solution

  • See the rules that Docker creates without "iptables": true and replicate them with "iptables": false (which is the default).

    These rules in particular are needed to masquerade the IP:

    iptables -t nat -A POSTROUTING -m addrtype --src-type LOCAL -o docker0 -j MASQUERADE

    iptables -t nat -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE