I'm not an heavy user of Unix based systems. And I have some trouble opening a server's port (80) to the public and redirect it to a running container.
So basically, I have a running container on a running Ubuntu server (IP 167.86.106.109), the IP of the container is 127.0.200.1 (and port 80 is open).
Running TELNET 127.0.200.1 80
on 167.86.106.109 and I'm able to do a GET that return 200. From outside I have a timeout
I've done the following but I still cannot access 167.86.106.109 on port 80 from outside (timeout error) :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
Obviously, I've done something wrong, but what ?
Output of docker ps
:
2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
This is on Ubuntu 20.04 (64 Bit). The container is a Docker container (v 20.10.14)
More info about my current setup:
The OS (IP 167.86.106.109) is running on a VPS, the docker container I want to reach from outside is running a nginx with the following configuration:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
#try_files $uri =404;
}
}
}
The result of ufw status verbose
:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
30333 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
30333 (v6) ALLOW IN Anywhere (v6)
The output of iptables -L -v -n
: (A lot is coming from docker itself)
Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target prot opt in out source destination
32669 4524K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2374K 1737M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2374K 1737M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
274K 16M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 16M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
167M 118G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
167M 118G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
888K 166M ACCEPT all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19186 1150K DOCKER all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
19186 1150K ACCEPT all -- br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
51M 59G ACCEPT all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3433 971K DOCKER all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
39M 3429M ACCEPT all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
42M 53G ACCEPT all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3397 969K DOCKER all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
33M 2699M ACCEPT all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
3397 969K ACCEPT all -- br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
37132 233M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
13310 1453K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1835K 83M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1835K 83M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
2843 253K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.2 tcp dpt:3306
0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.3 tcp dpt:8080
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.5 tcp dpt:30333
0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.3 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
39M 3429M DOCKER-ISOLATION-STAGE-2 all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
33M 2699M DOCKER-ISOLATION-STAGE-2 all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
13310 1453K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
73M 6129M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
28666 4185K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
81 4104 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
11583 599K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
12797 753K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
5083 453K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41195 5355K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4634 827K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4634 827K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
4586 357K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
211K 74M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
1823K 109M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
1823K 109M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
5089 453K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1722K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2488 227K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3643 763K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
671 48807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
1823K 109M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11664 603K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
346 43729 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1599 153K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2237 132K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2240 114K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1663K 100M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30333
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30333
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
EDIT:
The docker-compose used :
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "127.0.200.1:80:80"
networks:
- polkadot
- kusama
image is built like this :
# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod
# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]