What's using 172.18.0.0/16 and how do I change the IP range

[Chad O'Connell]

Docker seems to be using the 172.17.0.0/24 range, but when running sostat I see a bunch of traffic on the 172.18.0.x traffic. ip route shows "172.18.0.0/16 dev br-27f6b62cc482 proto kernel scope link src 172.18.0.1" but it is not listed in /etc/network/interfaces. This is causing issues because I have NAT'd traffic using IP addresses in the 172.18.x.x range. Can somebody let me know what's using this range and how to change it?

[Wes Lambert]

Hi Chad,

You may want to see the following:

https://securityonion.readthedocs.io/en/latest/docker.html#bridge  

Thanks,

Wes

On Wed, May 8, 2019 at 1:11 PM Chad O'Connell <lowdan...@gmail.com> wrote:

Docker seems to be using the 172.17.0.0/24 range, but when running sostat I see a bunch of traffic on the 172.18.0.x traffic. ip route shows "172.18.0.0/16 dev br-27f6b62cc482  proto kernel  scope link  src 172.18.0.1" but it is not listed in /etc/network/interfaces. This is causing issues because I have NAT'd traffic using IP addresses in the 172.18.x.x range. Can somebody let me know what's using this range and how to change it?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/23788b87-2dae-4915-b171-34069d164f0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Chad O'Connell]

On Wednesday, May 8, 2019 at 1:57:45 PM UTC-7, Wes wrote:
> Hi Chad,
>
>
> You may want to see the following:
>
>
> https://securityonion.readthedocs.io/en/latest/docker.html#bridge  
>
>
>
> Thanks,
> Wes
>
>
> On Wed, May 8, 2019 at 1:11 PM Chad O'Connell <lowdan...@gmail.com> wrote:
> Docker seems to be using the 172.17.0.0/24 range, but when running sostat I see a bunch of traffic on the 172.18.0.x traffic. ip route shows "172.18.0.0/16 dev br-27f6b62cc482  proto kernel  scope link  src 172.18.0.1" but it is not listed in /etc/network/interfaces. This is causing issues because I have NAT'd traffic using IP addresses in the 172.18.x.x range. Can somebody let me know what's using this range and how to change it?
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/23788b87-2dae-4915-b171-34069d164f0e%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

The Docker bridge is configured for 172.17.0./24, but there's something using the 172.18.0.0/16 range that I can't identify.

[Wes Lambert]

Hi Chad,

That's the docker network so-elastic-net  most likely.

You could try adding something like the following to your existing daemon.json:

  "default-address-pools":

        [

                {"base":"10.10.0.0/16","size":24}

        ]

Then run:

sudo so-stop

You will have to restart Docker for the changes to take effect, then remove and re-create the docker network:

sudo service docker stop

sudo service docker start

sudo docker network remove so-elastic-net

sudo docker network create so-elastic-net --driver=bridge

Then inspect the docker network:

sudo docker network inspect so-elastic-net

After changing that, you will need to change all the places where the docker gateway ip is referenced (172.18.0.1):

Ex.

Storage node autossh config (/usr/sbin/so-autossh-start, /root/.ssh/securityonion_ssh.conf DOCKER_INTERFACE)

Storage node elasticsearch.yml

Master elasticsearch.yml

localhost:9200/_cluster/settings on the master (curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}')

UFW on the master server (ufw allow proto tcp from $DOCKER_NETWORK to $DOCKER_INTERFACE port $REVERSE_PORT)

You can go through the setup script in /usr/sbin/sosetup to get a better idea of how this is handled.

Make sure to restart services/reboot after you are finished.

Thanks,

Wes

[Chad O'Connell]

Thanks for the assistance Wes. I was able to get the so-elastic network configured to use the 10.10.0.1/16 network, but for some reason the master server shows as not connected when running sostat. There are two forwarders and one storage that show as connected. Any ideas of what would cause this?

[Wes Lambert]

HI Chad, this is likely because of the Elasticsearch config specifying the original Docker bridge IP space.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/efc618f6-ffaa-4148-bdf1-91d0b0a79b5e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.