You are not logged in.
- Topics: Active | Unanswered
#1 2025-07-15 14:15:09
- ARGF0RCE
- Member
- Registered: 2025-07-15
- Posts: 1
Outgoing container traffic dropped by my host, but don't know where
Hey everyone,
I've hit a wall with a really bizarre Docker networking problem and I'm hoping some of you might have seen something like it before. I've spent ages on this and managed to trace it to a super specific point, but now I'm out of ideas. ?
Basically, packets from my Docker containers get accepted by the firewall's FORWARD chain, but then they just vanish into the void. They never make it to the POSTROUTING chain for NAT and they never leave the physical NIC (I've confirmed this with tcpdump).
System Info
# uname -a && docker --version && iptables --version
Linux arg-arch-dev 6.15.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 10 Jul 2025 17:10:18 +0000 x86_64 GNU/Linux
Docker version 28.3.2, build 578ccf607d
iptables v1.8.11 (legacy)My system is fully up-to-date and I'm using NetworkManager.
The Problem
Simple ping from any container to the outside world fails.
[root@arg-arch-dev ~]# docker run --rm busybox ping -c 4 8.8.8.8
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet lossWhat I've Already Tried (The Long List)
Here's the mountain of stuff I've already done to rule out the usual suspects:
Container networking itself is fine. It can ping the `docker0` gateway (`172.17.0.1`) without any issues.
Host IP forwarding is enabled (`net.ipv4.ip_forward = 1`).
NetworkManager is configured to completely ignore the `docker0` interface.
The issue happens with both `iptables-nft` and `iptables-legacy` (currently on legacy).
The issue happens on my custom Liquorix kernel AND the standard Arch `linux` kernel. It's not the kernel version.
The Definitive Proof
I ran `tcpdump` on my physical NIC while running a `TRACE` on iptables.
1. `tcpdump` shows zero packets leaving the machine. It's definitely not my router.
# sudo tcpdump -vvi enp5s0 -n 'icmp and host 8.8.8.8'
tcpdump: listening on enp5s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel2. `iptables TRACE` shows the packet passing all the way through the `filter:FORWARD` chain and getting an `ACCEPT` verdict. It then disappears before ever hitting `nat:POSTROUTING`.
[Jul15 19:41] docker0: port 1(vethe8f3915) entered blocking state
[ +0.000012] docker0: port 1(vethe8f3915) entered disabled state
[ +0.000007] vethe8f3915: entered allmulticast mode
[ +0.000039] vethe8f3915: entered promiscuous mode
[ +0.011399] eth0: renamed from vethe1db9c0
[ +0.000771] docker0: port 1(vethe8f3915) entered blocking state
[ +0.000004] docker0: port 1(vethe8f3915) entered forwarding state
[ +0.034915] TRACE: raw:PREROUTING:policy:3 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000031] TRACE: nat:PREROUTING:policy:2 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000018] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000010] TRACE: filter:DOCKER-USER:return:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000009] TRACE: filter:DOCKER-CT:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000009] TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:3 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000007] TRACE: filter:DOCKER-BRIDGE:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:4 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40945 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=0
[ +1.000064] TRACE: raw:PREROUTING:policy:3 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000029] TRACE: nat:PREROUTING:policy:2 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000016] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000009] TRACE: filter:DOCKER-USER:return:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000007] TRACE: filter:DOCKER-CT:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000007] TRACE: filter:DOCKER-FORWARD:rule:3 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000008] TRACE: filter:DOCKER-BRIDGE:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +0.000007] TRACE: filter:DOCKER-FORWARD:rule:4 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40999 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
[ +1.000061] TRACE: raw:PREROUTING:policy:3 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000029] TRACE: nat:PREROUTING:policy:2 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000017] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000010] TRACE: filter:DOCKER-USER:return:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000007] TRACE: filter:FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-CT:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000007] TRACE: filter:DOCKER-FORWARD:rule:3 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000007] TRACE: filter:DOCKER-BRIDGE:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +0.000007] TRACE: filter:DOCKER-FORWARD:rule:4 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41520 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2
[ +1.000145] TRACE: raw:PREROUTING:policy:3 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000032] TRACE: nat:PREROUTING:policy:2 IN=docker0 OUT= MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000019] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000009] TRACE: filter:DOCKER-USER:return:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000007] TRACE: filter:DOCKER-CT:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:rule:1 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-2:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000008] TRACE: filter:DOCKER-FORWARD:rule:3 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000037] TRACE: filter:DOCKER-BRIDGE:return:2 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +0.000014] TRACE: filter:DOCKER-FORWARD:rule:4 IN=docker0 OUT=enp5s0 MAC=36:a2:eb:6e:56:db:82:71:de:c6:5b:e0:08:00 SRC=172.17.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3
[ +10.067290] docker0: port 1(vethe8f3915) entered disabled state
[ +0.000219] vethe1db9c0: renamed from eth0
[ +0.037671] docker0: port 1(vethe8f3915) entered disabled state
[ +0.000792] vethe8f3915 (unregistering): left allmulticast mode
[ +0.000014] vethe8f3915 (unregistering): left promiscuous mode
[ +0.000008] docker0: port 1(vethe8f3915) entered disabled state
--- END OF TRACE ---Current Ruleset
# sudo iptables-save
# Generated by iptables-save v1.8.11 on Tue Jul 15 19:42:32 2025
*raw
:PREROUTING ACCEPT [27310:28262925]
:OUTPUT ACCEPT [21690:8817252]
-A PREROUTING -s 172.17.0.0/16 -d 8.8.8.8/32 -j TRACE
COMMIT
# Completed on Tue Jul 15 19:42:32 2025
# Generated by iptables-save v1.8.11 on Tue Jul 15 19:42:32 2025
*nat
:PREROUTING ACCEPT [294:114592]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1709:433762]
:POSTROUTING ACCEPT [1715:434268]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Jul 15 19:42:32 2025
# Generated by iptables-save v1.8.11 on Tue Jul 15 19:42:32 2025
*filter
:INPUT ACCEPT [27349:28275318]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21739:8835427]
:DOCKER - [0:0]
:DOCKER-BRIDGE - [0:0]
:DOCKER-CT - [0:0]
:DOCKER-FORWARD - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-FORWARD -i docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
COMMIT
# Completed on Tue Jul 15 19:42:32 2025My Question
So my question is: what else is there?
Given that a packet is being dropped *after* `filter:FORWARD` ACCEPT but *before* `nat:POSTROUTING` and never hits the wire, what kind of kernel-space issue or obscure software could even cause that? I feel like I've ruled everything out.
Any help or crazy ideas would be hugely appreciated. Thanks!
Offline
#2 2025-07-16 05:22:17
- -thc
- Member
- Registered: 2017-03-15
- Posts: 936
Re: Outgoing container traffic dropped by my host, but don't know where
Between the routing decision and the outgoing NAT table sits the MANGLE table.
Are by any chance rules in there or is a piece of software active that manipulates/operates this table?
Offline