Hello, I need to open the ports 11443 and 11444 in order to be able to connect a desktop client with a web application, but even though that I set the rules properly to open the above-mentioned ports, they remain blocked.

My docker container also has the ports exposed:

root@docker-***:~# docker ps
CONTAINER ID        IMAGE                            COMMAND                  CREATED             STATUS                   PORTS                                                    NAMES
b1243cbeb471        idoop/zentao:latest              "docker-entrypoint"      34 minutes ago      Up 2 minutes (healthy)   80/tcp, 3306/tcp, 0.0.0.0:11443-11444->11443-11444/tcp   zentao

The ports are set to be allowed in ufw:

root@docker-***:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere
2375/tcp                   ALLOW       Anywhere
2376/tcp                   ALLOW       Anywhere
11443/tcp                  ALLOW       Anywhere
11444/tcp                  ALLOW       Anywhere
22/tcp (v6)                LIMIT       Anywhere (v6)
2375/tcp (v6)              ALLOW       Anywhere (v6)
2376/tcp (v6)              ALLOW       Anywhere (v6)
11443/tcp (v6)             ALLOW       Anywhere (v6)
11444/tcp (v6)             ALLOW       Anywhere (v6)

Some additional info:

root@docker-***:~# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      951/sshd
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      699/systemd-resolve
tcp6       0      0 :::22                   :::*                    LISTEN      951/sshd
tcp6       0      0 :::443                  :::*                    LISTEN      1441/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      1581/docker-proxy
tcp6       0      0 :::11443                :::*                    LISTEN      2349/docker-proxy
tcp6       0      0 :::11444                :::*                    LISTEN      1899/docker-proxy
udp        0      0 127.0.0.53:53           0.0.0.0:*                           699/systemd-resolve
root@docker-***:~# iptables-save
# Generated by iptables-save v1.6.1 on Thu Jun 18 12:11:09 2020
*nat
:PREROUTING ACCEPT [88:5244]
:INPUT ACCEPT [50:2964]
:OUTPUT ACCEPT [82:6072]
:POSTROUTING ACCEPT [161:10036]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.21.0.0/16 ! -o br-beef654e1741 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-a7d9c45b68cc -j MASQUERADE
-A POSTROUTING -s 172.19.0.17/32 -d 172.19.0.17/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.19.0.17/32 -d 172.19.0.17/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.19.0.22/32 -d 172.19.0.22/32 -p tcp -m tcp --dport 11444 -j MASQUERADE
-A POSTROUTING -s 172.19.0.22/32 -d 172.19.0.22/32 -p tcp -m tcp --dport 11443 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-beef654e1741 -j RETURN
-A DOCKER -i br-a7d9c45b68cc -j RETURN
-A DOCKER ! -i br-a7d9c45b68cc -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.19.0.17:443
-A DOCKER ! -i br-a7d9c45b68cc -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.19.0.17:80
-A DOCKER ! -i br-a7d9c45b68cc -p tcp -m tcp --dport 11444 -j DNAT --to-destination 172.19.0.22:11444
-A DOCKER ! -i br-a7d9c45b68cc -p tcp -m tcp --dport 11443 -j DNAT --to-destination 172.19.0.22:11443
COMMIT
# Completed on Thu Jun 18 12:11:09 2020
# Generated by iptables-save v1.6.1 on Thu Jun 18 12:11:09 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:128]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-beef654e1741 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-beef654e1741 -j DOCKER
-A FORWARD -i br-beef654e1741 ! -o br-beef654e1741 -j ACCEPT
-A FORWARD -i br-beef654e1741 -o br-beef654e1741 -j ACCEPT
-A FORWARD -o br-a7d9c45b68cc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a7d9c45b68cc -j DOCKER
-A FORWARD -i br-a7d9c45b68cc ! -o br-a7d9c45b68cc -j ACCEPT
-A FORWARD -i br-a7d9c45b68cc -o br-a7d9c45b68cc -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.19.0.17/32 ! -i br-a7d9c45b68cc -o br-a7d9c45b68cc -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.19.0.17/32 ! -i br-a7d9c45b68cc -o br-a7d9c45b68cc -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.22/32 ! -i br-a7d9c45b68cc -o br-a7d9c45b68cc -p tcp -m tcp --dport 11444 -j ACCEPT
-A DOCKER -d 172.19.0.22/32 ! -i br-a7d9c45b68cc -o br-a7d9c45b68cc -p tcp -m tcp --dport 11443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-beef654e1741 ! -o br-beef654e1741 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-a7d9c45b68cc ! -o br-a7d9c45b68cc -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-beef654e1741 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-a7d9c45b68cc -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --mask 255.255.255.255 --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 22 -j ufw-user-limit-accept
-A ufw-user-input -p tcp -m tcp --dport 2375 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2376 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 11443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 11444 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Thu Jun 18 12:11:09 2020

My DigitalOcean firewall settings look like this:

image

I’m also using Cloudflare, but I do not have the firewall enabled there.

Could anyone point me in the right direction on how to open the ports I need, because I’m out of ideas at that point?

Thanks!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @panosru,

Looking at the provided information, you have allow only Ipv6 connections on ports 1143 and 1144.

root@docker-***:~# netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      951/sshd
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      699/systemd-resolve
tcp6       0      0 :::22                   :::*                    LISTEN      951/sshd
tcp6       0      0 :::443                  :::*                    LISTEN      1441/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      1581/docker-proxy
tcp6       0      0 :::11443                :::*                    LISTEN      2349/docker-proxy
tcp6       0      0 :::11444                :::*                    LISTEN      1899/docker-proxy
udp        0      0 127.0.0.53:53           0.0.0.0:*                           699/systemd-resolve

If you look at the running application, it seems like the docker-proxy is only listening these ports on TCP6 - IPv6. This seems like you’ll need to update your app’s configuration so that it listens on the same ports but on IPv4.

Regards,
KDSys

@KFSys, thank you for your response!

According to this similar to mine issue, I quote:

When setting up the proxy, Docker requests the loopback address ‘127.0.0.1’, Linux realises this is an address that exists in IPv6 (as ::0) and opens on both (but it is formally an IPv6 socket). When you run netstat it sees this and tells you it is an IPv6 - but it is still listening on IPv4. If you have played with your settings a little, you may have disabled this trick Linux does - by setting net.ipv6.bindv6only = 1.

Based on my settings:

root@docker-***:~# sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0

I haven’t blocked this feature; thus, it seems to me that even though that netstat shows ipv6, docker container is still able to communicate on ipv4, no?

Sorry if I’m mistaken, I’m not a network expert, I’m just using Google a lot :)

Another person from the same StackOverflow issue, propose to set net.ipv6.conf.all.forwarding to 1, currently, I have it set to zero:

root@docker-tecfinity:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 0

UPDATE:

I set net.ipv6.conf.all.forwarding to 1, but I still cannot access host:port from outside of local network.

I’m able to telnet from within the machine:

root@docker-***:~# telnet 127.0.0.1 11443
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
root@docker-***:~# telnet 127.0.0.1 11444
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.

Some additional info:

root@docker-***:~# uname -a
Linux docker-*** 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@docker-***:~# docker -v
Docker version 18.06.1-ce, build e68fc7a
root@docker-***:~# cat /etc/issue
Ubuntu 18.04.1 LTS \n \l
root@docker-***:~# iptables -t nat -nxvL
Chain PREROUTING (policy ACCEPT 26795 packets, 1604137 bytes)
    pkts      bytes target     prot opt in     out     source               destination
   26505  1494209 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 19106 packets, 1143013 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7232 packets, 560351 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 20817 packets, 1282907 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
       0        0 MASQUERADE  all  --  *      !br-beef654e1741  172.21.0.0/16        0.0.0.0/0
    1438    86280 MASQUERADE  all  --  *      !br-a7d9c45b68cc  172.19.0.0/16        0.0.0.0/0
       0        0 MASQUERADE  tcp  --  *      *       172.19.0.17          172.19.0.17          tcp dpt:443
       0        0 MASQUERADE  tcp  --  *      *       172.19.0.17          172.19.0.17          tcp dpt:80
       0        0 MASQUERADE  tcp  --  *      *       172.19.0.22          172.19.0.22          tcp dpt:11444
       0        0 MASQUERADE  tcp  --  *      *       172.19.0.22          172.19.0.22          tcp dpt:11443

Chain DOCKER (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
       0        0 RETURN     all  --  br-beef654e1741 *       0.0.0.0/0            0.0.0.0/0
       0        0 RETURN     all  --  br-a7d9c45b68cc *       0.0.0.0/0            0.0.0.0/0
    7025   333880 DNAT       tcp  --  !br-a7d9c45b68cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.19.0.17:443
     336    15300 DNAT       tcp  --  !br-a7d9c45b68cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.19.0.17:80
       1       40 DNAT       tcp  --  !br-a7d9c45b68cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11444 to:172.19.0.22:11444
       4      204 DNAT       tcp  --  !br-a7d9c45b68cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11443 to:172.19.0.22:11443

UPDATE2:

I believe, that I’ll have to dig a bit in the container and make sure that the service that uses ports 11443-11444 is indeed working, I took it for granted but I have the suspicion that it may not.

Submit an Answer