Can't access container IPs from oustide the host machine

[shonguiz]

Description
I am launching a new docker container app, inside the container ifconfig is giving this.

eth0      Link encap:Ethernet  HWaddr 02:42:0a:32:00:02  
          inet addr:10.50.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:387 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:73801 (73.8 KB)  TX bytes:1572 (1.5 KB)

eth0:1    Link encap:Ethernet  HWaddr 02:42:0a:32:00:02  
          inet addr:10.50.1.1  Bcast:10.50.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:2    Link encap:Ethernet  HWaddr 02:42:0a:32:00:02  
          inet addr:10.50.1.2  Bcast:10.50.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:3    Link encap:Ethernet  HWaddr 02:42:0a:32:00:02  
          inet addr:10.50.1.3  Bcast:10.50.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

ifconfig on the host is giving this:

br-dfd292823ec9 Link encap:Ethernet  HWaddr 02:42:1b:2b:32:c3  
          inet addr:10.50.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:1bff:fe2b:32c3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:320 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1320 (1.3 KB)  TX bytes:65375 (65.3 KB)

docker0   Link encap:Ethernet  HWaddr 02:42:93:9a:5c:ea  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:93ff:fe9a:5cea/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:2967 (2.9 KB)

eth0      Link encap:Ethernet  HWaddr ec:b1:d7:56:9d:88  
          inet addr:10.250.1.49  Bcast:10.250.255.255  Mask:255.255.0.0
          inet6 addr: fe80::f784:a7df:5e4e:ce2f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:270248 errors:0 dropped:0 overruns:0 frame:0
          TX packets:113084 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:208274777 (208.2 MB)  TX bytes:67211395 (67.2 MB)
          Interrupt:20 Memory:f7d00000-f7d20000 

eth1      Link encap:Ethernet  HWaddr 68:05:ca:3e:0c:f3  
          inet addr:192.168.108.222  Bcast:192.168.109.255  Mask:255.255.254.0
          inet6 addr: fe80::8f37:3338:32cf:ba39/64 Scope:Link
          inet6 addr: 2620:2c:40c0:c00:2d9e:8857:7d24:f4ee/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:94805 errors:0 dropped:1 overruns:0 frame:0
          TX packets:19184 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:36493713 (36.4 MB)  TX bytes:4842334 (4.8 MB)
          Interrupt:19 Memory:f7cc0000-f7ce0000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11023 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1730700 (1.7 MB)  TX bytes:1730700 (1.7 MB)

veth06b2b8e Link encap:Ethernet  HWaddr 8e:96:03:60:49:5c  
          inet6 addr: fe80::8c96:3ff:fe60:495c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:392 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1572 (1.5 KB)  TX bytes:74749 (74.7 KB)

Describe the results you received:
I am perfectly able to ping the docker container adresses (10.50.0.2, 10.50.1.1..) form the host (10.250.1.49 ip) now i am trying to ping those adresses from other machines on the same network (10.250.0.0) as the host. So on each of these machine i am adding a route to 10.50.0.0/16 network by the gw 10.250.1.49. But i am not absle to poing 10.50.0.2 and 10.50.1.1..etc. Why is that ?

here is the network of the conatiner using the inspect command

[
    {
        "Name": "net1050",
        "Id": "dfd292823ec934fbabc0cbe139833cbd8895679e1e83e785a49543eaf937a59d",
        "Created": "2017-07-18T14:57:12.782010751-04:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "10.50.0.0/16"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "c96e4266d048f15047a76ab700507255024261db95f98b4c5b24ac8ed8c07e6b": {
                "Name": "sim50",
                "EndpointID": "a0903fb741cae97ecade953e63733e0be22623e5f65f2aceb30f8e53c7e553a7",
                "MacAddress": "02:42:0a:32:00:02",
                "IPv4Address": "10.50.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

I am trying to ping because i want to ssh ip adress of the conatiner using port 10050 and cannot do that.

This is the command i use to start the container
docker run --privileged -h inttestssim -p $simsshserverport:$simsshserverport -p $simadminport:$simadminport --network=$simnetworkname --network-alias=$simnetworkname -e "setupInterfaceArgs=$setupInterfaceArgs" -e "simnetworkips=$simnetworkips" -e "simnetworkname=$simnetworkname" -e "simconfigdir=$simconfigdir" -e "simsshserverport=$simsshserverport" -e "simadminport=$simadminport" -e "simportbase=$simportbase" -v $simconfigdir:/home/visionems/DEV/simulator --name=$simcontainername $SIMULATOR_IMAGE_TAG

simsshserverport being 10050.

i am using Docker ce 17.06 and ubuntu 16.04

[shonguiz]

So it turned out that i needed to do sudo iptables -P FORWARD ACCEPT to change the forward policy to accept to make external machines having a route to the host able to communicate with the containers. Was this policy changed by docker ?

[thaJeztah]

Yes, the default forwarding policy changed to DROP in Docker 1.13; https://github.com/moby/moby/releases/tag/v1.13.0 (see #28257, and #14041) - the ACCEPT policy as a default is considered a security issue, more so, given that container ports should only be accessible when explicitly published (-p / --publish).

This is not a bug, so I'll close this issue, but feel free to continue the conversation

[shonguiz]

As described in the description, i am doing docker run -p 10050:10050, i am using that port to connect to my container by ssh, but i don't want to connect on its eth0 address (10.50.0.2) but to virtual adresses created on eth0 (10.50.1.1 to 10.50.20.250). So far i am only able to do that when the forward policy is set to accept on the host.

[thaJeztah]

If you're connecting to the container directly, there's no need to use -p; that option is used for port mapping to the external IP address of the host

[shonguiz]

I am not connecting to it directly, i want to connect on the virtual ip from an oustide host on the same network. i want to do ssh user@virtualipOfTheContainer -p 10050 from an outside host.