following situation: i have a hardware box with Ubuntu 14.04LTS as host for docker 1.4 I'm running an ELK stack in several containers. Curenntly the logstash container is exposing only port 514 to collect syslog input.
in some situations, after restarting the container, syslog traffic is not forwarded to the container anymore.
'iptables -nvL' shows that there is no traffic matching the rule applied to the forwarding chain during container start. The traffic counter of the INPUT chain is considerably higher than in the FORWARD chain.
I notice this behavior on all containers that are exposing UDP ports to the world, containers with TCP based services are working as expected.
restarting the containers and the docker service is without success.
I'm mainly collecting firewall trafficlogs, so the syslog traffic flow is quite constant. I'm collecting approx 1,5k Syslog traps per second.
My workaround here is to stop all traffic to the host for about 10 seconds (currently by blackholing the traffic on an upstream router)
After stopping syslog export on one single firewall node for a few seconds, traffic from this specific firewall is forwarded to the container as expected. But only from this single one.
I think that this is an issue of iptables. It seems that iptables is caching the forwarding-infrmation for a few seconds and is ignoring any new applied rules as long as traffic is present.
I've done no additional configuration on iptables here. Everything is done by docker. I have no ufw, conntrackd or anything installed.
Any suggests how to solve this issue?
best regards Andreas