Does docker network somehow block access to its host from certain IPs?

Question

My company has a CentOS 7 server with some running docker containers. Normally I can connect to it from my personal computer . But sometimes after I run a docker-compose up command on the server, I cannot connect to it anymore (I try to ping / connect via ssh and it just hangs forever). When that happens, I have to ssh to the server from another computer, run docker-compose down, and then everything goes back to normal.

I don't define any networks in the docker-compose.yml file, I always let docker deal with the network on its own.

My problem: Currently there are a few guys on my team that cannot connect to the server. I'm thinking that this might have something to do with docker, since it manipulates the iptables by default (I'm using iptables on the server instead of firewalld). One guy even used to be able to connect, but after he "resets wifi" (ncpa.cpl --> disable --> enable, his IP changes), he cannot connect anymore.

I just want to ask if this is a common problem, has anyone faced something similar, or any suggestions on how to solve this. I'm really stuck here.

I don't know if this helps but here's my iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DOCKER-INGRESS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (9 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:9494
ACCEPT     tcp  --  anywhere             172.25.0.2           tcp dpt:XmlIpcRegSvc
ACCEPT     tcp  --  anywhere             172.25.0.3           tcp dpt:eforward
ACCEPT     tcp  --  anywhere             172.17.0.12          tcp dpt:8484
ACCEPT     tcp  --  anywhere             172.17.0.16          tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.17.0.8           tcp dpt:8282
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             172.17.0.10          tcp dpt:xmltec-xmlmail
ACCEPT     tcp  --  anywhere             172.17.0.6           tcp dpt:8282
ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.31.0.2           tcp dpt:27017
ACCEPT     tcp  --  anywhere             172.31.0.3           tcp dpt:27017
ACCEPT     tcp  --  anywhere             192.168.48.3         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:domaintime
ACCEPT     tcp  --  anywhere             172.17.0.9           tcp dpt:intermapper
ACCEPT     tcp  --  anywhere             172.17.0.11          tcp dpt:8808
ACCEPT     tcp  --  anywhere             172.17.0.14          tcp dpt:8585
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:sun-as-jpda
ACCEPT     tcp  --  anywhere             172.17.0.13          tcp dpt:pds

Chain DOCKER-INGRESS (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (9 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere  
Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Here's my docker network ls

NETWORK ID          NAME                                DRIVER              SCOPE
ffdf3af963da        bridge                              bridge              local
592d75d9d5b9        coeeventifytestoldversion_default   bridge              local
c4a9765aa44f        docker_gwbridge                     bridge              local
06e4cb827a9c        FE_default                          bridge              local
5fa4ecb69ec6        servicecode_net                     bridge              local
63cbe32ab786        healthcheck_default                 bridge              local
9238d2095aec        host                                host                local
e67bc4a01511        kafka_default                       bridge              local
f2ae14c5c4f6        myApp_default                       bridge              local
724a03d36011        none                                null                local
7e62d26d7c7c        sourcecode_default                  bridge              local

score 0 · Accepted Answer · answered Sep 05 '19 at 19:24

This can happen if your docker daemon is using IP addresses which are also used in your company network. Let's say that one of your teammates has the IP address 192.168.160.2, and one of your docker containers also gets the same IP address 192.168.160.2. When the container tries to send a response to your teammate, it can't reach him, because the packets will be sent to the container itself instead.

You should make sure that your docker daemon uses a completely different subnet than your local network. You can use docker network inspect to see which IP addresses are being used by a particular docker network.

To change the IP addresses used by docker, see Configuring Docker to not use the 172.17.0.0 range

Your answer kinda makes sense, but I think there's something more that caused my problem. Because there are many guys in my team that cannot connect to the server, and according to your explanation, that means I have many containers with same IPs as their computers' (it may happen, but I truly think the possibility is very low) — Hien Le, Sep 11 '19 at 06:30

Does docker network somehow block access to its host from certain IPs?

1 Answers1