I’ve been scratching my head with this particular issue,
Graylog currently has an IPVLAN IP so that I can give it special firewall privileges’ separate of the other containers on the host. I can ship logs to it fine from hosts within the same subnet, however i’m not able to send logs to it from hosts on other subnets.
I also can’t telnet 9000 or 5044
I’ve double and triple checked my network firewall issues,
I can think of three possible reasons.
There’s a builtin firewall or IP filter on the docker container I would need to override.
Somehow the default gateway isn’t set on the container
My ability to troubleshoot the container itself is limited unless I can figure out how to su to root so that I can install network connectivity test tools.
The Graylog network is an internal one shared with mongo and elastic
Relevant portions of my docker compose
(port bindings are omitted as all ports are automatically exposed when using iPVLAN)
From what I am quickly reading, you need to specifically set the gateway in the IPVLAN when you create it… was that done? If not it defaults to the first usable IP for a gateway. so for 192.168.1.0/24 it would default to 192.168.1.1 for the gateway… I was reading all this on this page
I switched the container to use port bindings on the host and things suddenly work, which supports my theory that for some reason the container isn’t setting the default gateway correctly. however lacking root pillages and without ip-tools or ping-tools installed in the container I don’t really have a way to verify my theory.
I do have the correct gateway defined on the IPVLAN connection itself, and other containers have no issue routing from other containers using the IPVLAN driver.
I’m going to leave the binding to the host for the time being as i’m much less concerned about inbound port access granted to discretely mapped ports opposed to granting the host IP outbound firewall rights.
