4ybaka
By:
4ybaka

Blocked inbound connections

November 25, 2017 206 views
Docker Networking

I have an instance with docker. One docker container listens for 9017 port but it is not available by public ip. I disabled ufw and clear iptables. Instance also has no DO firewall.

root@docker-1gb-fra1-01:/home# ufw disable
Firewall stopped and disabled on system startup
root@docker-1gb-fra1-01:/home# ufw status
Status: inactive
root@docker-1gb-fra1-01:/home# iptables -P INPUT ACCEPT
root@docker-1gb-fra1-01:/home# iptables -P FORWARD ACCEPT

(See iptables rules below)

nmap shows next:

root@docker-1gb-fra1-01:/home# nmap -p 9000-10000 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-25 12:44 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
9017/tcp open  unknown
9403/tcp open  unknown
9404/tcp open  unknown
9451/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
root@docker-1gb-fra1-01:/home# nmap -p 9000-10000 139.59.213.99

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-25 12:44 UTC
Nmap scan report for 139.59.213.99
Host is up (0.000051s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
9017/tcp filtered unknown
9403/tcp filtered unknown
9404/tcp filtered unknown
9451/tcp filtered unknown

Why mentioned ports are filtered?

iptables:

root@docker-1gb-fra1-01:/home# iptables --line-numbers -vL
Chain INPUT (policy ACCEPT 20 packets, 1434 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8169  377K ufw-before-logging-input  all  --  any    any     anywhere             anywhere
2     8169  377K ufw-before-input  all  --  any    any     anywhere             anywhere
3      108  7104 ufw-after-input  all  --  any    any     anywhere             anywhere
4      105  6948 ufw-after-logging-input  all  --  any    any     anywhere             anywhere
5      105  6948 ufw-reject-input  all  --  any    any     anywhere             anywhere
6      105  6948 ufw-track-input  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
2        0     0 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere
3        0     0 ACCEPT     all  --  any    br-94f58cc57a91  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4        0     0 DOCKER     all  --  any    br-94f58cc57a91  anywhere             anywhere
5        0     0 ACCEPT     all  --  br-94f58cc57a91 !br-94f58cc57a91  anywhere             anywhere
6        0     0 ACCEPT     all  --  br-94f58cc57a91 br-94f58cc57a91  anywhere             anywhere
7        0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8        0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
9        0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
10       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
11       0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
12       0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere
13       0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere
14       0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
15       0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere
16       0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 12 packets, 1686 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8036  447K ufw-before-logging-output  all  --  any    any     anywhere             anywhere
2     8036  447K ufw-before-output  all  --  any    any     anywhere             anywhere
3     1075 52820 ufw-after-output  all  --  any    any     anywhere             anywhere
4     1075 52820 ufw-after-logging-output  all  --  any    any     anywhere             anywhere
5     1075 52820 ufw-reject-output  all  --  any    any     anywhere             anywhere
6     1075 52820 ufw-track-output  all  --  any    any     anywhere             anywhere

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9451
2        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9404
3        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9403
4        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.2           tcp dpt:9017

Chain DOCKER-ISOLATION (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  docker0 br-94f58cc57a91  anywhere             anywhere
2        0     0 DROP       all  --  br-94f58cc57a91 docker0  anywhere             anywhere
3        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain ufw-after-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

2 Answers
4ybaka November 29, 2017
Accepted Answer

Found the reason - bad port forwarding configuration in local network. So actually port wasn't accessible only from my local network.

Show the output of netstat -ltp and output of docker/docker-compose ps

Have another answer? Share your knowledge.