Skip to content

Instantly share code, notes, and snippets.

@pedrolamas

pedrolamas/docker-iptables-fix.sh

Created August 18, 2020 19:32
Show Gist options
  • Save pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9 to your computer and use it in GitHub Desktop.
Save pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9 to your computer and use it in GitHub Desktop.
Download ZIP
Script to fix Docker iptables on Synology NAS
Raw
docker-iptables-fix.sh
#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15
while [ $currentAttempt -lt $totalAttempts ]
do
currentAttempt=$(( $currentAttempt + 1 ))
echo "Attempt $currentAttempt of $totalAttempts..."
result=$(iptables-save)
if [[ $result =~ "-A DOCKER -i docker0 -j RETURN" ]]; then
echo "Docker rules found! Modifying..."
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
echo "Done!"
break
fi
echo "Docker rules not found! Sleeping for $delay seconds..."
sleep $delay
done
@erwinkramer
Copy link

There is a much saner solution for all of this. Just run all your containers on the host network and no additional things are needed. The only 'complex' thing i setup is changing the default ports of the built-in nginx inside a startup script, like @Maypul mentioned, but that is only because i want to use port 443 and port 80 for caddy. So:

sed -i "s/^\( *listen .*\)80/\1$HTTP_PORT/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\( *listen .*\)443/\1$HTTPS_PORT/" /usr/syno/share/nginx/*.mustache

Now in your docker compose file, make sure you:

  • use unique ports for every service
  • specify network_mode: host

It might look like this (the caddy labels are only needed if using caddy of course):

  whoami-public:
    container_name: whoami-public
    image: traefik/whoami
    network_mode: host
    restart: unless-stopped
    environment:
     - WHOAMI_PORT_NUMBER=707
    labels:
      caddy: ${public_protocol}whoami.${public_domain}
      caddy.reverse_proxy: "{{upstreams 707}}"

@jackmaninov
Copy link

jackmaninov commented Jun 30, 2025
edited
Loading

I've been having issues similar to this since upgrading to Synology Container Manager 3 and trying to the automatic configuration of proxying with Web Station. While Container Manager could be sending a container's 172.x.x.x address to Web Station, it seems to send 127.0.0.1 and assume a working port forward, which doesn't work.

Since Container Manager 3 it seems you need to add an OUTPUT rule:

iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER

Also the test in OP to see whether the docker rules have been applied no longer works, I'm currently using:

if [[ $result =~ "DOCKER-USER" ]]; then

Hope that helps people, I've been pulling my hair out trying to get this to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment