i have a hardware box with Ubuntu 14.04LTS as host for docker 1.4
I'm running an ELK stack in several containers. Curenntly the logstash
container is exposing only port 514 to collect syslog input.
in some situations, after restarting the container, syslog traffic
is not forwarded to the container anymore.
'iptables -nvL' shows that there is no traffic matching the rule
applied to the forwarding chain during container start. The traffic
counter of the INPUT chain is considerably higher than in the FORWARD
I notice this behavior on all containers that are exposing UDP
ports to the world, containers with TCP based services are working as
restarting the containers and the docker service is without
I'm mainly collecting firewall trafficlogs, so the syslog traffic
flow is quite constant. I'm collecting approx 1,5k Syslog traps per
My workaround here is to stop all traffic to the host for about 10
seconds (currently by blackholing the traffic on an upstream
After stopping syslog export on one single firewall node for a few
seconds, traffic from this specific firewall is forwarded to the
container as expected. But only from this single one.
I think that this is an issue of iptables. It seems that iptables
is caching the forwarding-infrmation for a few seconds and is ignoring
any new applied rules as long as traffic is present.
I've done no additional configuration on iptables here. Everything
is done by docker. I have no ufw, conntrackd or anything
Any suggests how to solve this issue?