Docker Host Loop

[zeug at delirium.ch]

Hiya

I've just replaced Vuurmuur with Firehol on my metal box which runs a bunch of services in Docker containers. It all went pretty smoothly, but there's one routing I just don't get working.

The relevant interfaces in play are:

* enp3s0 – the physical network device of the host
* br_gollum – the bridge to which the gollum wiki container connects via veth9688d8d
* br_gitlab – the bridge to which the gitlab container connects via veth723b0d7

Every container is in its own network, the containers don't really have to communictate in between. However, there's one exception: The gollum wiki is actually using a git repository for storage, so it has to talk to the gitlab web frontend. 

The gitlab container exposes its web frontend to the internet via an Nginx proxy on the host, so from outside, it can be reached on https://gitlab. <https://gitlab.delirium/>mydomain.com and without firewalling, I can shell into the gollum container and do "curl https://gitlab.mydomain.com <https://gitlab.mydomain.com/>".

Once the firewall is up, this doesn't work anymore. The domain name is resolved alright, but the Nginx proxy cannot be reached from the gollum container on the public IP of the host.

Here are the relevant firewall rules:
https://gist.github.com/svoop/d3515a6c2832fb23b6530fc04105a427

When I shell into the the gollum container now and try "curl https://gitlab.mydomain.com <https://gitlab.mydomain.com/>" now, the connection is blocked and the log shows:

> Feb 14 22:23:00 [kernel] [1989654.441823] reject UNMATCHED IN-gollum:IN=br-gollum OUT= PHYSIN=veth59e2348 MAC=02:42:e5:d5:28:04:12:62:bc:10:2e:03:08:00 SRC=172.16.46.3 DST=144.76.82.233 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42442 DF PROTO=TCP SPT=59852 DPT=443 WINDOW=21900 RES=0x00 SYN URGP=0


Any idea what I'm doing wrong here? (Also maybe a stupid question: I use the bridge interfaces br-+ for the firewall rules. Is this correct or are the veth interfaces relevant?)

Thanks for your help!   -sven