2

I'm trying to update packages from an ubuntu container; however, updating fails and I've noticed I can't connect anywhere, am able to lookup dns names thought.

I'm using nicolaka/netshoot container in order to test network.

I've used "tcpdump" command in order to trace any error related to messages being sent, and testing with ping from the container results in the following error "ICMP time exceeded in-transit".

tcpdump in host interface:

16:18:25.257270 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 3, length 64
16:18:25.257314 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:26.237575 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 4, length 64
16:18:26.286692 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 4, length 64
16:18:26.286757 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:27.261770 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 5, length 64
16:18:27.302193 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 5, length 64
16:18:27.302241 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:28.285631 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 6, length 64
16:18:28.329531 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 6, length 64
16:18:28.329596 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92
16:18:29.309767 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 7, length 64
16:18:29.353202 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 7, length 64
16:18:29.353272 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92

Also I'm not sure if my iptables are as expected for docker containers to get internet connection.

iptables -nvL:

Chain INPUT (policy ACCEPT 1015 packets, 437K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  266 21762 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  266 21762 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   15  1513 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
  251 20249 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1323 packets, 142K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  251 20249 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
  266 21762 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
  251 20249 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  266 21762 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I've also noticed traceroute get past my router and am able to get nslookup results, is it my ISP trowing me under the bus?

traceroute result

Nicolas
  • 121
  • 4
  • What is that 1.1.0.1 doing there? That is a public IP address in China. Are you in China? – Michael Hampton Sep 21 '20 at 02:31
  • I'm not in China. Actually am in Peru. @MichaelHampton – Nicolas Sep 21 '20 at 02:48
  • Is that run by your ISP then? If so, they are doing something very, very wrong by using other companies' IP addresses. – Michael Hampton Sep 21 '20 at 03:18
  • @MichaelHampton Thanks for your assessment, I actually thought so too, I called them today to ask about it. They might be using public ips as local network ips wrongly. Either way, I don't understand why my traceroute gets cut there. – Nicolas Sep 22 '20 at 00:17
  • The reply is possibly going to China. – Michael Hampton Sep 22 '20 at 00:19
  • When I do traceroute from the pc itself, it gets past that ip address; however, doing it from the container as the screenshot shared, it gets stuck there. – Nicolas Sep 22 '20 at 00:25

1 Answers1

0

I'll close this question as I've found the problem lies with my ISP, which by using NAT, and docker also using NAT, containers are being blocked of their internet access.

Nicolas
  • 121
  • 4