Script to fix Docker iptables on Synology NAS

docker-iptables-fix.sh

#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15

while [ $currentAttempt -lt $totalAttempts ]
do
	currentAttempt=$(( $currentAttempt + 1 ))
	
	echo "Attempt $currentAttempt of $totalAttempts..."
	
	result=$(iptables-save)

	if [[ $result =~ "-A DOCKER -i docker0 -j RETURN" ]]; then
		echo "Docker rules found! Modifying..."
		
		iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
		iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
		
		echo "Done!"
		
		break
	fi
	
	echo "Docker rules not found! Sleeping for $delay seconds..."
	
	sleep $delay
done

@ben-ba Not sure if we're talking about the same idea. In my nextcloud container it seems to only see the XFF IP if it's an external/public IP. For example here two request:

Client Proxy Service Request appears to be from
10.0.0.2 172.16.0.2 172.30.1.2 172.16.0.2
42.199.8.17 172.16.0.2 172.30.1.2 42.199.8.17
(My local LAN is 10.0.0.0/24)

What I would like to achieve: In the example above the first request should also appear to be from 10.0.0.2 and not how it currently is 172.16.0.2.

Have you got any fix on this ?

There is a much saner solution for all of this. Just run all your containers on the host network and no additional things are needed. The only 'complex' thing i setup is changing the default ports of the built-in nginx inside a startup script, like @Maypul mentioned, but that is only because i want to use port 443 and port 80 for caddy. So:

sed -i "s/^\( *listen .*\)80/\1$HTTP_PORT/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\( *listen .*\)443/\1$HTTPS_PORT/" /usr/syno/share/nginx/*.mustache

Now in your docker compose file, make sure you:

• use unique ports for every service
• specify network_mode: host

It might look like this (the caddy labels are only needed if using caddy of course):

  whoami-public:
    container_name: whoami-public
    image: traefik/whoami
    network_mode: host
    restart: unless-stopped
    environment:
     - WHOAMI_PORT_NUMBER=707
    labels:
      caddy: ${public_protocol}whoami.${public_domain}
      caddy.reverse_proxy: "{{upstreams 707}}"

I've been having issues similar to this since upgrading to Synology Container Manager 3 and trying to the automatic configuration of proxying with Web Station. While Container Manager could be sending a container's 172.x.x.x address to Web Station, it seems to send 127.0.0.1 and assume a working port forward, which doesn't work.

Since Container Manager 3 it seems you need to add an OUTPUT rule:

iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER

Also the test in OP to see whether the docker rules have been applied no longer works, I'm currently using:

if [[ $result =~ "DOCKER-USER" ]]; then

Hope that helps people, I've been pulling my hair out trying to get this to work.