prerouting iptables rules interfere with docker container networking

[cainlevy]

When using Prax to provide DNS for a local Docker container, my iptables -t nat -L looks like:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 20559
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 20558

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
REDIRECT   tcp  --  anywhere             localhost            tcp dpt:http redir ports 20559
REDIRECT   tcp  --  anywhere             localhost            tcp dpt:https redir ports 20558

[truncated]

With this setup, I'm able to access myapp.dev running inside the Docker container, but my app is unable to connect to port 80 or 443 in the outside world.

Removing Prax's PREROUTING rules fixes the Docker container's networking while still allowing local access to myapp.dev. Are the PREROUTING rules necessary for anything crucial? If I've only sacrificed xip.io support or something, that's fine with me.

related: #90
possibly related: moby/moby#5577

[ysbaddaden]

The PREROUTING rules are required for remote access to your server with transparent redirections to the 20559 (http) and 20558 (https) ports. I'm using it combined with Prax for tablets and mobile access. You can remove them. You may also remove the local rules and always deal with the ports.

BTW: I don't have any routing problems using LXC (which Docker is built on) and Vagrant.