iptables inside a docker container

I have developed a VPN based on my own protocol (just for pleasure :) )

The VPN server is run inside docker containers I just have to run the container with --privileged and create inside the container a tun interface as following with an iptables rule

ip tuntap add dev tun10 mode tun
ip addr add 192.168.152.1/24 dev tun10
ip link set dev tun10 up
iptables -t nat -A POSTROUTING -s 192.168.152.0/24 -o ${OUTPUT_INTERFACE} -j MASQUERADE

My local machine is an Ubuntu 20.04 LTS with docker 20.10.7
The server is an Ubuntu 18.04 with docker 20.10.8

I have done some tests and works fine in my local machine but when I run it in my server doesn't work.

In my local machine when I ping another one of my servers with tcpdump activated within the container I can see the packets clearly go and go back. The container is based on maven:3-jdk-8 which at the same time is based on openjdk:8-jdk

(IP Address masked for privacy)

Local

#tcpdump -vvnn -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:44:02.188752 tun10 In  IP (tos 0x0, ttl 64, id 35464, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.152.12 > X.XX.XX.XX: ICMP echo request, id 11736, seq 0, length 64
09:44:02.188788 eth0  Out IP (tos 0x0, ttl 63, id 35464, offset 0, flags [DF], proto ICMP (1), length 84)
    172.17.0.2 > XX.XX.XX.XX: ICMP echo request, id 11736, seq 0, length 64
09:44:02.214357 eth0  In  IP (tos 0x0, ttl 50, id 18279, offset 0, flags [none], proto ICMP (1), length 84)
    XX.XX.XX.XX > 172.17.0.2: ICMP echo reply, id 11736, seq 0, length 64
09:44:02.214377 tun10 Out IP (tos 0x0, ttl 49, id 18279, offset 0, flags [none], proto ICMP (1), length 84)
    XX.XX.XX.XX > 192.168.152.12: ICMP echo reply, id 11736, seq 0, length 64

Everything is all right, I can see packets:

  1. Come in from the tun10 interface
  2. masqueraded to eth0 and leaving the machine
  3. go back ping packets from eth0
  4. demasquerade and sent to tun10 interface

But in the server miss the 4th step (demasquerade)

#tcpdump -vvnn -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:09:46.178977 tun10 In  IP (tos 0x0, ttl 64, id 61227, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.152.12 > XX.XX.XX.XX: ICMP echo request, id 46572, seq 0, length 64
12:09:46.179023 eth0  Out IP (tos 0x0, ttl 63, id 61227, offset 0, flags [DF], proto ICMP (1), length 84)
    172.17.0.4 > XX.XX.XX.XX: ICMP echo request, id 46572, seq 0, length 64
12:09:46.192666 eth0  In  IP (tos 0x0, ttl 51, id 12930, offset 0, flags [none], proto ICMP (1), length 84)
    XX.XX.XX.XX > 172.17.0.4: ICMP echo reply, id 46572, seq 0, length 64

Iptables rules are almost empty but the rule I have added

#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 


# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.152.0/24     anywhere 

Anyone could have an idea of what is going on? Right now it's turning me crazy. Appreciate

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum