Score:0

Cannot access docker container from outside the OS that is running it

gb flag

I'm not an heavy user of Unix based systems. And I have some trouble opening a server's port (80) to the public and redirect it to a running container.

So basically, I have a running container on a running Ubuntu server (IP 167.86.106.109), the IP of the container is 127.0.200.1 (and port 80 is open).

Running TELNET 127.0.200.1 80 on 167.86.106.109 and I'm able to do a GET that return 200. From outside I have a timeout

I've done the following but I still cannot access 167.86.106.109 on port 80 from outside (timeout error) :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80

iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80

iptables-save > /etc/iptables.rules

ufw allow http

Obviously, I've done something wrong, but what ?

Output of docker ps:

2f7617d72299   polk-auction-ui:latest   "/docker-entrypoint.…"   52 minutes ago   Up 52 minutes   127.0.200.1:80->80/tcp   polk-auction-ui

This is on Ubuntu 20.04 (64 Bit). The container is a Docker container (v 20.10.14)

More info about my current setup:

The OS (IP 167.86.106.109) is running on a VPS, the docker container I want to reach from outside is running a nginx with the following configuration:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;
    gzip  on;
    #include /etc/nginx/conf.d/*.conf;
    
    server {
      listen 80;
      location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
        #try_files $uri =404;
      }
    }
}

The result of ufw status verbose :

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
30333                      ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
30333 (v6)                 ALLOW IN    Anywhere (v6)

The output of iptables -L -v -n : (A lot is coming from docker itself)

Chain INPUT (policy DROP 37 packets, 2168 bytes)
 pkts bytes target     prot opt in     out     source               destination
32669 4524K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
2374K 1737M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2374K 1737M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 274K   16M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 262K   16M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 262K   16M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 262K   16M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 167M  118G DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 167M  118G DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 888K  166M ACCEPT     all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
19186 1150K DOCKER     all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-4c0567f529d0 !br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
19186 1150K ACCEPT     all  --  br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
  51M   59G ACCEPT     all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 3433  971K DOCKER     all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
  39M 3429M ACCEPT     all  --  br-56fce7b8bc16 !br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
 3397  969K ACCEPT     all  --  br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
  42M   53G ACCEPT     all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 3397  969K DOCKER     all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
  33M 2699M ACCEPT     all  --  br-9316082e3f65 !br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
 3397  969K ACCEPT     all  --  br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
37132  233M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
13310 1453K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1835K   83M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1835K   83M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2843  253K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2843  253K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2843  253K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2843  253K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            172.18.0.2           tcp dpt:8080
    0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.2           tcp dpt:8080
    0     0 ACCEPT     tcp  --  !br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            172.20.0.2           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            172.20.0.3           tcp dpt:8080
    0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.5           tcp dpt:30333
    0     0 ACCEPT     tcp  --  !br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            172.18.0.5           tcp dpt:30333
    0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.3           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-4c0567f529d0 !br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0         
  39M 3429M DOCKER-ISOLATION-STAGE-2  all  --  br-56fce7b8bc16 !br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0         
  33M 2699M DOCKER-ISOLATION-STAGE-2  all  --  br-9316082e3f65 !br-9316082e3f65  0.0.0.0/0            0.0.0.0/0         
13310 1453K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 167M  118G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  73M 6129M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 167M  118G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
28666 4185K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
   81  4104 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
11583  599K ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
12797  753K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5083  453K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
41195 5355K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 4634  827K ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 4634  827K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
 4586  357K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 211K   74M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
1823K  109M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
1823K  109M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5089  453K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
1722K   74M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2488  227K ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination
 3643  763K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
  671 48807 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
1823K  109M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination
11664  603K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  346 43729 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 1599  153K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2237  132K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
 2240  114K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
1663K  100M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30333
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:30333

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

EDIT:

The docker-compose used :

version: "3.8"

networks:
    polkadot:
        external: true
    kusama:
        external: true

services: 
    polk-auction-ui:
        image: polk-auction-ui:latest
        container_name: polk-auction-ui
        ports:
            - "127.0.200.1:80:80"
        networks:
            - polkadot
            - kusama

image is built like this :

# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod

# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
co flag
Why not publish the port? `-p 80:$containerport`
Cromm avatar
gb flag
@BMitch Can you expend on this ? Sorry, I'm not sure to understand how to publish the port. Note that the port of the container is already mapped on port 80 of the host
co flag
We need to see how you run the container. Include that command (or yaml file) in your question).
Cromm avatar
gb flag
I've edited the question to add the docker-compose file and the Dockerfile used to built the image (if that matters).
Score:1
co flag

127.0.0.0/8 is the loopback interface, aka localhost. To publish on all interfaces, you can remove the IP address from the published port:

version: "3.8"

networks:
    polkadot:
        external: true
    kusama:
        external: true

services: 
    polk-auction-ui:
        image: polk-auction-ui:latest
        container_name: polk-auction-ui
        ports:
            - "80:80"
        networks:
            - polkadot
            - kusama
Michael Dewar avatar
cu flag
You're a lifesaver!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.