I have an instance with docker. One docker container listens for 9017 port but it is not available by public ip. I disabled ufw and clear iptables. Instance also has no DO firewall.

root@docker-1gb-fra1-01:/home# ufw disable
Firewall stopped and disabled on system startup
root@docker-1gb-fra1-01:/home# ufw status
Status: inactive
root@docker-1gb-fra1-01:/home# iptables -P INPUT ACCEPT
root@docker-1gb-fra1-01:/home# iptables -P FORWARD ACCEPT

(See iptables rules below)

nmap shows next:

root@docker-1gb-fra1-01:/home# nmap -p 9000-10000 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-25 12:44 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
9017/tcp open  unknown
9403/tcp open  unknown
9404/tcp open  unknown
9451/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
root@docker-1gb-fra1-01:/home# nmap -p 9000-10000 139.59.213.99

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-25 12:44 UTC
Nmap scan report for 139.59.213.99
Host is up (0.000051s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE
9017/tcp filtered unknown
9403/tcp filtered unknown
9404/tcp filtered unknown
9451/tcp filtered unknown

Why mentioned ports are filtered?

iptables:

root@docker-1gb-fra1-01:/home# iptables --line-numbers -vL
Chain INPUT (policy ACCEPT 20 packets, 1434 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8169  377K ufw-before-logging-input  all  --  any    any     anywhere             anywhere
2     8169  377K ufw-before-input  all  --  any    any     anywhere             anywhere
3      108  7104 ufw-after-input  all  --  any    any     anywhere             anywhere
4      105  6948 ufw-after-logging-input  all  --  any    any     anywhere             anywhere
5      105  6948 ufw-reject-input  all  --  any    any     anywhere             anywhere
6      105  6948 ufw-track-input  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
2        0     0 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere
3        0     0 ACCEPT     all  --  any    br-94f58cc57a91  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4        0     0 DOCKER     all  --  any    br-94f58cc57a91  anywhere             anywhere
5        0     0 ACCEPT     all  --  br-94f58cc57a91 !br-94f58cc57a91  anywhere             anywhere
6        0     0 ACCEPT     all  --  br-94f58cc57a91 br-94f58cc57a91  anywhere             anywhere
7        0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8        0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
9        0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
10       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
11       0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
12       0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere
13       0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere
14       0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
15       0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere
16       0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 12 packets, 1686 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8036  447K ufw-before-logging-output  all  --  any    any     anywhere             anywhere
2     8036  447K ufw-before-output  all  --  any    any     anywhere             anywhere
3     1075 52820 ufw-after-output  all  --  any    any     anywhere             anywhere
4     1075 52820 ufw-after-logging-output  all  --  any    any     anywhere             anywhere
5     1075 52820 ufw-reject-output  all  --  any    any     anywhere             anywhere
6     1075 52820 ufw-track-output  all  --  any    any     anywhere             anywhere

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9451
2        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9404
3        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.6           tcp dpt:9403
4        0     0 ACCEPT     tcp  --  !br-94f58cc57a91 br-94f58cc57a91  anywhere             172.18.0.2           tcp dpt:9017

Chain DOCKER-ISOLATION (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  docker0 br-94f58cc57a91  anywhere             anywhere
2        0     0 DROP       all  --  br-94f58cc57a91 docker0  anywhere             anywhere
3        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain ufw-after-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-forward (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
num   pkts bytes target     prot opt in     out     source               destination

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Found the reason - bad port forwarding configuration in local network. So actually port wasn’t accessible only from my local network.

Show the output of netstat -ltp and output of docker/docker-compose ps

Submit an Answer