Use floating IP address only for outbound Cloudron Docker container communication

d19dotca

Hello,

I am wanting to make it so that all Cloudron / Docker containers are using a certain outbound IP address as the source instead of a different IPv4 address.

Let's say my IPv4 interface has 1.2.3.4 by default, and I have a floating IP of 6.7.8.9. Right now, it seems like the dedicated server routes traffic through all available IPs at seemingly random. I want to force it to use 6.7.8.9 instead from the Cloudron Docker containers.

Currently, I've been able to do this by creating a system service at /etc/systemd/system/docker-snat.service (for example) to add in a firewall rule. The service looks like this:

[Unit]
Description=Insert SNAT rule for Docker container traffic
After=docker.service
Requires=docker.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -I POSTROUTING -s 172.18.0.0/16 -o enp3s0f0 -j SNAT --to-source {FLOATING_IP}
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

The context for this request is to do with mail and avoiding issues with FCrDNS (forward-confirmed reverse DNS). Specifically, Gmail started blocking delivery from some emails due to the IP address resolving to my mail server not matching the IP address used to send the message. Cloudron is using the floating IP address when it sets the DNS records, but since that doesn't appear to be the only IP being used for outbound mail, some mail are getting rejected.

Is there a better way to achieve this? I added a floating IP recently to the server and that's what triggered this issue as any mail being sent from the original IPs failed because the DNS records now only contained the floating IP instead for the mail server.

joseph

This seems OK to me . But can this not be done by normal routing tables? (I guess the answer to your question is a general linux question and not related to Cloudron specifically)

joseph

FWIW, mistral also says we have to create a postrouting SNAT rule as you posted

d19dotca

This post is deleted!

d19dotca

@joseph Yeah, I tried a few different ways including modifying the Netplan 51-cloud-init.yaml file which is used for adding the additional/floating IP address (this works okay for adding the IP itself), but no matter what I tried (with the help of AI too), nothing allowed Docker to use the floating IP for all outbound communication until it suggested the service to add that rule persistently which seemed to work okay thankfully. It just feels like this is "wrong" somehow though even though it works. I want to believe there's a much easier way to do this.

I'm also surprised nobody else has had this issue, although I suppose most people aren't using floating IPs, and those that do either don't run into the issue or already knew how to work around it which I didn't until today after hours of troubleshooting, haha. Or maybe it's something that Gmail is recently applying in their MTA checks. I'm not sure how I haven't run into this myself before.

robi

Why not have the mailer only use a specified MX IP?

Let the system spray the rest.

d19dotca

@robi I think the question still becomes… how does one apply that change to the mail container only to send over one IP? The change I made works fine and applies to all containers which is okay overall. But it just doesn’t seem ‘right’, I keep thinking I’m overlooking something.