Join Log in
Score:2
avatar Server

Docker service unreachable on host-IP, but works on localhost

cn flag
Dennis G

I have a similar problem to this post here, though I don't think my IP ranges collide: https://forums.docker.com/t/service-is-unreachable-on-host-ip-localhost-works/78515

I'm exposing a webserver via docker on port 443 and I can access it via 127.0.0.1:443 as well as from outside the host. I cannot access that webserver via the host IP and I am pulling my hair out why this may be.

To make things reproducible, let me fire up a netcat container (that is listening on all interfaces inside the container) - I have the same problem on port 443 obviously:

$ docker run -ti --rm -p 8182:8182 chilcano/netcat:jessie -vvl -p 8182
->>>>>> (Executing '/bin/netcat -vvl -p 8182') <<<<<<-
listening on [any] 8182 ...

Docker is listening on all local interfaces on 8182 ✅

$  lsof -i :8182
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
docker-pr 11152 root    4u  IPv4 1183427772      0t0  TCP *:8182 (LISTEN)

Connecting to netcat in docker from the host works when using localhost ✅

$  nc -vz 127.0.0.1 8182
localhost [127.0.0.1] 8182 open

the problem starts when using the local host's IP and trying to reach the docker container like that ❌

$  nc -vz 192.168.176.111 8182
ramirez.domain.local [192.168.176.111] 8182: Network is unreachable

I can ping the host just fine and access other things that run on the host via its IP (e.g. running netcat -vvl -p 8182 directly on the host instead of the docker container everything works).

When calling the same IP from another device in the network, everything works ✅, so this is a local problem of the docker host

$  nc -vz 192.168.176.111 8182
Connection to 192.168.176.111 8182 port [tcp/*] succeeded!

The routing table as well as iptables looks fine to me, but I'm no expert.

$ ip a
# anonymized mac address
6: ovs_eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.176.111/24 brd 192.168.176.255 scope global ovs_eth0
       valid_lft forever preferred_lft forever

route:

$  ip route
default via 192.168.176.1 dev ovs_eth0  src 192.168.176.111
169.254.0.0/16 dev ovs_eth1  proto kernel  scope link  src 169.254.106.154 dead linkdown
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
192.168.127.0/24 dev docker-976f9fbf  proto kernel  scope link  src 192.168.127.1
192.168.128.0/24 dev docker-bd2edfee  proto kernel  scope link  src 192.168.128.1
192.168.176.0/24 dev ovs_eth0  proto kernel  scope link  src 192.168.176.111
192.168.254.0/24 dev docker-2de11f77  proto kernel  scope link  src 192.168.254.1

iptables:

$  iptables -L -v -n
Chain INPUT (policy ACCEPT 78080 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination
 210M  299G DOS_PROTECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 218M  241G DEFAULT_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 76525 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DEFAULT_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
 230K  276M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 231K  276M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
7254K   23G ACCEPT     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
19005 1140K DOCKER     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
4614K 1362M ACCEPT     all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
19005 1140K ACCEPT     all  --  docker-f06ef418 docker-f06ef418  0.0.0.0/0            0.0.0.0/0
2270K 2424M ACCEPT     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1549K  101M DOCKER     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1814K 1273M ACCEPT     all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1549K  101M ACCEPT     all  --  docker-f95cea99 docker-f95cea99  0.0.0.0/0            0.0.0.0/0
  14M 8442M ACCEPT     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
14118  846K DOCKER     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 7237  714K ACCEPT     all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
14118  846K ACCEPT     all  --  docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 5238   23M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 3332  216K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            192.168.254.254      tcp dpt:2375
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.127      tcp dpt:8888
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:8080
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:443
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:80
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8182

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
4614K 1362M DOCKER-ISOLATION-STAGE-2  all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
1814K 1273M DOCKER-ISOLATION-STAGE-2  all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
 7237  714K DOCKER-ISOLATION-STAGE-2  all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 3332  216K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
98306 8258K DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  38M   19G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOS_PROTECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13   876 RETURN     icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1000/sec burst 5
    0     0 DROP       icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 270K   11M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04 limit: avg 1/sec burst 5
16881  675K DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04
 347K   20M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 10000/sec burst 100
    0     0 DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
402
0 + 0
A.B avatar
cl flag
A.B
There are other rules anyways. The reproducible way to communicate the iptables rules is with: `iptables-save -c` which will dump all tables (not just the filter table) which can then be reloaded in one command (`iptables-restore`). Using -L -n both doesn't display all tables and leaves people figuring out the actual original rules.
0
Reply
jp flag
AlexD
show `iptables -L -v -n`
0
Reply
cn flag
Dennis G
I updated with `iptables -L -v -n`
0
Reply
vn flag
Nifle
Are you on a "home" network? If so many home routers don't allow accessing your own external IP. See https://superuser.com/q/1047745/2013 Try using a web proxy like https://hidester.com/proxy/
0
Reply
cn flag
Dennis G
The IP I'm trying to access is the internal IP, not external IP - i.e. it is just the IP the router assigns my docker host (in this case its static). When using the external WAN IP everything works.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.