Cannot access port externally in rootless docker container

General
1

I am running a gitea instance in a rootless docker container.
I followed the install steps from Rootless mode | Docker Docs and everything works fine except 1 thing; exposing ports externally.

For the main interface, I have set up an apache proxy on a custom domain to localhost:3000 (the port the webui is runbing on).
I have also setup an ssh server inside gitea for authentication via on port 3333.

However I can’t for the live of me seem to connect to that port from the outside world.

I have exposed the port in my docker-compose:
ports:
- “3000:3000”
- “3333:3333”

I can connect to the ssh on port 3333 from the local server via
ssh 127.0.0.1 -p 3333`
and even via
ssh <external hostname> -p 3333`

But I cannot seem to connect to that port from any outside client.
Running
ssh <external hostname> -p 3333`
from my local PC will just timeout

ssh: connect to host <host> port 3333: Connection timed out

netstat -tulpn gives me:

tcp        0      0 0.0.0.0:3333            0.0.0.0:*               LISTEN      1095/rootlesskit
tcp6       0      0 :::3333                 :::*                    LISTEN      1095/rootlesskit

I am using VPNkit as network driver since slirp4netns is not available.

What step am I missing to be able to access port 3333 from an external machine?

2

So if I understand it correctly, only one port doesn’t work from the outside, the SSH port (3333), but the webui port works (3000), right?

Did it work with rootful Docker on the same machine?
Can you make any thing on the host listen on that port and access it from the outside? For example:

python3 -m http.server 3333

Can any other container listen on the same port? For example, can you run the webui on port 3333?

3

None of the ports are reachable from the outside.
I managed to access to webui via an apache reverse proxy on the same machine (port 3000), but that will not be sufficient for the SSH connection on port 3333.

You can’t run docker rootless and rootful on the same machine (as far as I know) so that would be hard to test. My team members also won’t be very happy if I take down the git instance :sweat_smile:.

When I try to run the python web server on port 3334 (3333 is already in use) I can’t access that either.
It seems like I have a routing issue to solve (before even looking at any docker issues).

Thanks for thinking along :slight_smile: