I was having problems with DDoS attacks and had to buy a DDoS protection service. The service provider installed the service and the filtered traffic comes from a GRE tunnel.
Everything works now, but for some reason, the source IP is lost when it has a docker container as a destination. Basically, all the connections seem to come from the same IP, making the records completely useless.
I have tried many online solutions, changing iptables rules, changing routes and even running the docker with the host option, but none of them solved my problem.
If I open the server outside of a docker container and set it to 192.168.168.2 (My IP in the GRE tunnel), the source IPs are not lost.
The dedicated server has two IPs:
XXX.XX.162.230 -> The exit traffic of the docker that originates from inside passes through here.
XXX.XX.158.66 -> The IP used for the GRE tunnel.
All servers in the docker window run on the pterodactyl0 interface in subnet 172.18.0.0/16.
Output of "ip route":
default through XXX.XX.162.229 dev ens192 proto-static metric 100 XXX.XX.158.64 / 30 dev ens192 proto kernel link scope src XXX.XX.158.66 metric 100 XXX.XX.162.228 / 30 dev ens192 proto kernel link scope src XXX.XX.162.230 metric 100 172.17.0.0/16 dev docker0 proto kernel link scope src 172.17.0.1 172.18.0.0/16 dev pterodactyl0 proto kernel scope link src 172.18.0.1 192.168.122.0/24 dev virbr0 proto kernel link scope src 192.168.122.1
Output of "iptables-save":
# Generated by iptables-save v1.4.21 on Friday, December 14 01:39:23 2018 *maim : PREROUTING ACCEPT [1017095:251914463] : I ACCEPT ENTRY [977584:240083736] : GO GO [35865:11565123] : I ACCEPT OUTPUT [865807:309131494] : POSTROUTING ACCEPT [901673:320696780] COMMIT # Completed on Friday, December 14 01:39:23 2018 # Generated by iptables-save v1.4.21 on Friday, December 14 01:39:23 2018 *filter : I ACCEPT ENTRY [977610:240086356] : GO GO [53:17120] : I ACCEPT OUTPUT [865853:309242154] : DOCKER - [0:0] : DOCKER-INSULATION - [0:0] -A ENTRY -s XXX.XX.162.230 / 32 -p tcp -j DROP -A FORWARD -J ISOLATION-PLAYER -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT -A FORWARD -i docker0! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -or pterodactyl0 -j DOCKER -A FORWARD -or pterodactyl0 -m conntrack --tstate RELATED, ESTABLISHED -j ACCEPT -A FORWARD -i pterodactyl0! -o pterodactyl0 -j ACCEPT -A FORWARD -i pterodactyl0 -or pterodactyl0 -j I ACCEPT -A DOCKER-INSULATION -i pterodactyl0 -o docker0 -j DROP -A DOCKER-INSULATION -i docker0 -o pterodactyl0 -j DROP -A POCKET INSULATION -J BACK COMMIT # Completed on Friday, December 14 01:39:23 2018 # Generated by iptables-save v1.4.21 on Friday, December 14 01:39:23 2018 * nat : PREROUTING ACCEPT [21185:1284024] : I ACCEPT ENTRY [15151:876340] : I ACCEPT OUTPUT [8014:494893] : POSTROUTING ACCEPT [7332:452633] : DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -An exit! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.18.0.0/16! -o pterodactyl0 -j MASCARADA -A DOCKER -i docker0 -j BACK -A DOCKER -i pterodactyl0 -j BACK COMMIT # Completed on Friday, December 14 01:39:23 2018