Forward one IP to a docker container
Solution 1
Firstly you wouldn't want to forward all ports at once, as then you wouldn't necessarily still have access to the host. This should definitely be a manual process.
I expect that you have a web service running in your Docker container, so if you wish to forward, for example port 80 from your eth0.1 IP address to the Docker container's IP address you could use the following iptables rule;
iptables -A PREROUTING -t nat -i eth0.1 -p tcp --dport 80 -j DNAT --to 172.17.0.11:80
iptables -A FORWARD -p tcp -d 172.17.0.11 --dport 80 -j ACCEPT
These rules can then be modified for any other ports/docker containers as required.
Solution 2
OK so I'm gonna throw an alternative answer here as I now understand you are not referring to virtual interfaces but IP aliasing.
First if you don't have to forward all ports but one simply use (you need to expose the port in your dockerfile obviously) :
docker run -d -p 93.x.x.x:hostPort:containerPort registry/image
In the other case, if you don't use this IP alias for anything else than communicating to/from your container with the rest of your network, you can take a look at my modest project : docker-flatip and directly assign this IP to a virtual ethernet link plugged from the container to a second bridge dedicated to flat containers.
I wrote it while facing a use case a bit particular. Keep in mind that this is at the border of what docker containers are and it's quite better to find a solution, if you can, in order to not bind a particular IP address to a container for orchestration and scalability purposes.
The main point of this it to be able to reach a container as it was any other host on your network with easier iptables rules setup. In my case it was necessary to deploy a bunch of load generation agents from a commercial solution with specific iptables rules where each needed a public IP and could not be autodiscovered. It act as a wrapper after running/before stopping your containers so iptables rules are added/removed whith ease.
With this little tool you would end up starting your container like this (if you are really sure you want to forward all ports, not encouraged at all) :
cid=$(docker run -d registry/image)
Or
docker start $cid
Then :
docker-flatip add $cid 93.x.x.x/32 -i tcp:all,udp:all
And stopping it like this :
docker-flatip del $cid
docker stop $cid
Related videos on Youtube
06 : 17
10 : 00
06 : 11
08 : 42
03 : 06
Mascarpone
Web Scientist, Applied mathematician, usability engineer, project manager.
Updated on September 18, 2022Comments
-
Mascarpone over 1 year
As far as I understood, docker run containers with their own IPs, and fully open ports, on the bridge interface docker0.
Let's say I launch a container, and it has its own IP: 172.17.0.11, and I have a virtual ethernet interface, eth0.1, with public IP 93.x.x.x
How do I forward eth0.1 to the docker container, so that I can reach the container via eth0.1 IP?
Can I forward all ports at once? (maybe with a script)
How do I disable docker default behavior, so that each container only gets an IP on docker0 interface, and I manually setup forwarding?
@Xavierlucas
I linked it because I thought it was explained better over there. If you check the debian config, I add to the /etc/net/interfaces file this:
post-up /sbin/ifconfig eth0:X IP.OF.FAIL.OVER netmask 255.255.255.255 broadcast IP.OF.FAIL.OVER post-down /sbin/ifconfig eth0:X downthis way I have a virtual interface (eth0:0), which has a public IP forwarded by my provider. I think the routing is done by the provider,as there are no additional routes or configs on my server
Note:
There is a followup question
-
Wesley over 9 years
iptables -
Xavier Lucas over 9 yearsWhat do you mean by virtual ethernet interface with public IP ? Can you clarify where is each part of the veth link in your setup ? -
Mascarpone over 9 yearsfirst of all, merry christmas. Secondly, here's the config I was referring to help.ovh.com/IpAlias
-
Xavier Lucas over 9 years@Mascarpone I won't read all of this. Answer precisely.
-
Mascarpone over 9 years@XavierLucas I better replied as an edit of the answer
-
Xavier Lucas over 9 years@Mascarpone Ok so you are not refering to the right notion, you are actually not speaking about virtual interface but IP aliasing.
-
-
Mascarpone over 9 yearsit doesnt work, but maybe there's another problem? Check the follow up question for more details. serverfault.com/questions/654978/…
-
allo over 9 yearsyou need to add to postrouting:
iptables -t nat -A POSTROUTING -s 172.17.0.11 -j MASQUERADE, so the packets leaving do not have172.17.0.11as their source ip. -
Mascarpone over 9 yearsI starred your project, I'm analyzing this solution. The fact that I'm using IPalias prevents me from using iptables?
-
Mascarpone over 9 yearsI run docker run -d -p 93.x.x.x:hostPort:containerPort registry/image, using the ip of eth0:1, but it doesnt work. Why?
-
Mascarpone over 9 yearsthe problem was the first rule. Check My reply here serverfault.com/questions/654978/… If you correct your reply I will mark it as valid
