Docker's NAT table output chain rule

otm picture otm · Nov 17, 2014 · Viewed 7.7k times · Source

i am trying to understand one of the rules in the iptables:

$ sudo iptables -t nat  --list -v
...

Chain OUTPUT (policy ACCEPT 618 packets, 31267 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

...

so this rule is trying to match destination address type "LOCAL" and not in the range of 127.0.0.0/8?

what address would it match then? what's the purpose of the this rule?

thanks!

Answer

Yoel picture Yoel · Nov 17, 2014

This rule would match all packets originating at the local machine (since it's in the OUTPUT chain), destined to a locally hosted IP address which doesn't begin with 127.X.X.X. Such packets are handed over to the DOCKER chain for further processing.

A locally hosted IP address which doesn't begin with 127.X.X.X matches each of the IP addresses defined to the machine's interfaces. This includes dynamically defined IP addresses as well, such as those allocated via DHCP.

The machine's locally hosted IP addresses can be extracted by executing the command ip route show table local type local.


In order to inspect which IP addresses are actually matched by this rule, a logging rule may be added to the beginning of the DOCKER chain as follows:

sudo iptables -t nat -I DOCKER -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'DOCKER CHAIN '

Matched packets will be logged in the file /var/log/syslog.