How could I bind docker container to specific external interface

Question

I have two network interfaces, eth0 and eth1,

How could I bind all docker container to eth1, and let all network traffic go out and in via the eth1

Thanks~

update

I tried to bind to the eth1 with 133.130.60.36.

But i still got no luck, i still get the eth0 IP as the public IP in the container. the network flow is not go out via eth1

➜  ~  docker run -d --name Peach_1 -p 133.130.60.36::9998 -ti sample/ubuntu-vnc-selenium-firefox

➜  ~  docker ps
CONTAINER ID        IMAGE                                 COMMAND                CREATED             STATUS              PORTS                                     NAMES
eb28f0d1c337        sample/ubuntu-vnc-selenium-firefox   "/opt/bin/run_sele_s   4 minutes ago       Up 4 minutes        5901/tcp, 133.130.60.36:32768->9998/tcp   Peach_1

➜  ~  docker exec -ti Peach_1 zsh

➜  /  curl ipecho.net/plain ; echo
133.130.101.114

Answer 1

Here's something from the docker docs

https://docs.docker.com/v17.09/engine/userguide/networking/default_network/binding/

If you want to be more restrictive and only allow container services to be contacted through a specific external interface on the host machine, you have two choices. When you invoke docker run you can use either -p IP:host_port:container_port or -p IP::port to specify the external interface for one particular binding. Or if you always want Docker port forwards to bind to one specific IP address, you can edit your system-wide Docker server settings and add the option --ip=IP_ADDRESS. Remember to restart your Docker server after editing this setting.

Answer 2

Putting IP in -p only works for traffic that comes to server, for traffic that leaving server you can assign static local IP to each container, Then change source IP in iptables or snat. Here is a sample iptables rule:

iptables -t nat -I POSTROUTING -p all -s 172.20.128.2 ! -d 172.20.128.2 -j SNAT --to-source YourInterfaceIP