At least with my setup exposing the ports for using one external srsenb setup with physical phones and internal srsenb_zmq for srsue does not work, because then the srsenb_zmq container can't connect to the mme. The sctp connection gets to the INIT / INIT_ACK stage, and that's it.
This rule basically breaks the checksum for internal packets in some weird way. The fix in my case is to just remove that rule, or change it by ensuring it does not apply to traffic targeting the docker subnet.
I just thought I might add this information here in case someone else hits that issue, debugging that was not easy.
At least with my setup exposing the ports for using one external srsenb setup with physical phones and internal srsenb_zmq for srsue does not work, because then the srsenb_zmq container can't connect to the mme. The sctp connection gets to the INIT / INIT_ACK stage, and that's it.
Solution: Docker adds this iptables rule
This rule basically breaks the checksum for internal packets in some weird way. The fix in my case is to just remove that rule, or change it by ensuring it does not apply to traffic targeting the docker subnet.
I just thought I might add this information here in case someone else hits that issue, debugging that was not easy.
See related moby issue https://github.com/moby/moby/issues/47952 and code comment pointing at the kernel commit and reason.