I am attempting to setup a docker container registry, I have followed quite closely the documentation found here and appear to have a functional repository, however I can access the blasted thing. Note:
[root@redacted ~]# nmap 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-15 16:27 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for localhost (127.0.0.1)
Host is up (-660s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
199/tcp open smux
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
[root@redacted ~]# nmap 172.20.52.15
Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-15 16:27 CST
Nmap scan report for redacted (172.20.52.15)
Host is up (0.0000080s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds
[root@redacted ~]#
[root@redacted ~]# docker --version
Docker version 19.03.13, build 4484c46d9d
The repository is on port 443. I tried setting up a nginx server on port 80 and got the same thing. I have setup a repository on a different server running docker 17. Was there something that changed in the rules? This is the command I used to spin up the container:
docker run -d \
-p 443:443 \
--restart=always \
--name registry \
-v /etc/docker/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /etc/docker/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/redacted.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/redacted.key \
registry:2
My iptables rules:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N LOGGING
-A INPUT -j LOG
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -d 192.236.39.255/32 -j DROP
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A INPUT -j LOGGING
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A DOCKER -j LOG
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
Any guidance would be grand, I have been searching the internet, reading docs for docker and IP tables for several days with no progress. depressed