I'm not an heavy user of Unix based systems. And I have some trouble opening a server's port (80) to the public and redirect it to a running container.
So basically, I have a running container on a running Ubuntu server (IP 167.86.106.109), the IP of the container is 127.0.200.1 (and port 80 is open).
Running TELNET 127.0.200.1 80 on 167.86.106.109 and I'm able to do a GET that return 200. From outside I have a timeout
I've done the following but I still cannot access 167.86.106.109 on port 80 from outside (timeout error) :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
Obviously, I've done something wrong, but what ?
Output of docker ps:
2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
This is on Ubuntu 20.04 (64 Bit). The container is a Docker container (v 20.10.14)
More info about my current setup:
The OS (IP 167.86.106.109) is running on a VPS, the docker container I want to reach from outside is running a nginx with the following configuration:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
#include /etc/nginx/conf.d
The result of ufw status verbose :
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
30333 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
30333 (v6) ALLOW IN Anywhere (v6)
The output of iptables -L -v -n : (A lot is coming from docker itself)
Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target prot opt in out source destination
32669 4524K f2b-sshd tcp
2374K 1737M ufw-before-logging-input all
2374K 1737M ufw-before-input all
274K 16M ufw-after-input all
262K 16M ufw-after-logging-input all
262K 16M ufw-reject-input all
262K 16M ufw-track-input all
0 0 ACCEPT tcp
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
167M 118G DOCKER-USER all
167M 118G DOCKER-ISOLATION-STAGE-1 all
888K 166M ACCEPT all
19186 1150K DOCKER all
0 0 ACCEPT all
19186 1150K ACCEPT all
51M 59G ACCEPT all
3433 971K DOCKER all
39M 3429M ACCEPT all
3397 969K ACCEPT all
42M 53G ACCEPT all
3397 969K DOCKER all
33M 2699M ACCEPT all
3397 969K ACCEPT all
37132 233M ACCEPT all
0 0 DOCKER all
13310 1453K ACCEPT all
0 0 ACCEPT all
0 0 ufw-before-logging-forward all
0 0 ufw-before-forward all
0 0 ufw-after-forward all
0 0 ufw-after-logging-forward all
0 0 ufw-reject-forward all
0 0 ufw-track-forward all
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1835K 83M ufw-before-logging-output all
1835K 83M ufw-before-output all
2843 253K ufw-after-output all
2843 253K ufw-after-logging-output all
2843 253K ufw-reject-output all
2843 253K ufw-track-output all
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp
0 0 ACCEPT tcp
0 0 ACCEPT tcp
0 0 ACCEPT tcp
0 0 ACCEPT tcp
0 0 ACCEPT tcp
0 0 ACCEPT tcp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all
39M 3429M DOCKER-ISOLATION-STAGE-2 all
33M 2699M DOCKER-ISOLATION-STAGE-2 all
13310 1453K DOCKER-ISOLATION-STAGE-2 all
167M 118G RETURN all
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all
0 0 DROP all
0 0 DROP all
0 0 DROP all
73M 6129M RETURN all
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
167M 118G RETURN all
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
28666 4185K RETURN all
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp
0 0 ufw-skip-to-policy-input udp
81 4104 ufw-skip-to-policy-input tcp
11583 599K ufw-skip-to-policy-input tcp
0 0 ufw-skip-to-policy-input udp
0 0 ufw-skip-to-policy-input udp
0 0 ufw-skip-to-policy-input all
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
12797 753K LOG all
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all
0 0 ACCEPT icmp
0 0 ACCEPT icmp
0 0 ACCEPT icmp
0 0 ACCEPT icmp
0 0 ufw-user-forward all
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
5083 453K ACCEPT all
41195 5355K ACCEPT all
4634 827K ufw-logging-deny all
4634 827K DROP all
0 0 ACCEPT icmp
0 0 ACCEPT icmp
0 0 ACCEPT icmp
4586 357K ACCEPT icmp
211K 74M ACCEPT udp
1823K 109M ufw-not-local all
0 0 ACCEPT udp
0 0 ACCEPT udp
1823K 109M ufw-user-input all
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
5089 453K ACCEPT all
1722K 74M ACCEPT all
2488 227K ufw-user-output all
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3643 763K RETURN all
671 48807 LOG all
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
1823K 109M RETURN all
0 0 RETURN all
0 0 RETURN all
0 0 ufw-logging-deny all
0 0 DROP all
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
11664 603K DROP all
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
346 43729 ACCEPT tcp
1599 153K ACCEPT udp
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
2237 132K ACCEPT tcp
2240 114K ACCEPT tcp
1663K 100M ACCEPT tcp
0 0 ACCEPT udp
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all
0 0 REJECT all
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
EDIT:
The docker-compose used :
version: "3.8"
networks:
polkadot:
external: true
kusama:
external: true
services:
polk-auction-ui:
image: polk-auction-ui:latest
container_name: polk-auction-ui
ports:
- "127.0.200.1:80:80"
networks:
- polkadot
- kusama
image is built like this :
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
