Join Log in
Score:0
avatar Server

iptables firewall not allowing connection on port 8080 even if it is open (docker)

US flag
user1000756

I have opened my port 8080 in iptables and i am launching a nextcloud container where port 8080 is exposed and routed to nextcloud server on port 80 inside the container.

I cannot reach either localhost:8080 when i run docker locally or server_ip:8080 when i run docker on a remote server even if my port 8080 is open.

Docker has modified iptables after i ran my script to configure firewall.

How should i change the chain rules so it accepts connection to docker container? (nextcloud is reachable on localhost:8080 if i put a INPUT policy to ACCEPT but server_ip:8080 is not reachable if i put INPUT policy to accept...)

Thank you

here is the iptables script:

#/bin/bash
set -ex

# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X


# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT


############### INPUT chain
## drop icmp
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

##  drop scans XMAS and NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

## drop broadcast
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

## allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

## allow local loopback
iptables -I INPUT -i lo -j ACCEPT

#Server rules
iptables -A INPUT -p tcp -m tcp --dport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -i enp53s0 -j ACCEPT

# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP

## On log les paquets en entrée.
iptables -A INPUT -j LOG


############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT

# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT

# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --sport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 443 -o enp53s0 -j ACCEPT

# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT

iptables --list shows the following output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere             icmp echo-request
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain DOCKER (3 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
110
0 + 3
in flag
Gerald Schneider
If you cannot reach `localhost:8080` the problem is not the firewall.
1
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
does anything listen on that port? Use e.g. `ss -lnpt | grep 8080` for checking
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.