Container Not Routing to / from Host IP

brandonbell · April 11, 2018, 3:29pm

 Version:      17.05.0-ce
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:09:44 2017
 OS/Arch:      linux/amd64
 Experimental: false

I am having issues where the containers are not routing to the host IP.

443/tcp -> 0.0.0.0:443
9005/tcp -> 0.0.0.0:9005
9092/tcp -> 0.0.0.0:9092

The following connect, however not using the IP from the host itself.

nc -w 1 -z 172.26.0.2 9092
Connection to 172.26.0.2 9092 port [tcp/XmlIpcRegSvc] succeeded!
nc -w 1 -z localhost 9092
Connection to localhost 9092 port [tcp/XmlIpcRegSvc] succeeded!
nc -w 5 -zv host_ip 9092
nc: connect to host_ip port 9092 (tcp) timed out: Operation now in progress

From other hosts it connects fine using the IP.

[other host] $ nc -z host_ip 9092
Connection to host_ip 9092 port [tcp/XmlIpcRegSvc] succeeded!

IP Tables Output Looks OK

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.26.0.2          tcp dpt:9092 
ACCEPT     tcp  --  0.0.0.0/0            172.26.0.2          tcp dpt:9005 
ACCEPT     tcp  --  0.0.0.0/0            172.26.0.2          tcp dpt:443 

Chain DOCKER-ISOLATION (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL 
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8         ADDRTYPE match dst-type LOCAL 
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8         ADDRTYPE match dst-type LOCAL 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.26.0.0/16        0.0.0.0/0           
MASQUERADE  all  --  172.26.0.0/16        0.0.0.0/0           
MASQUERADE  tcp  --  172.26.0.2           172.26.0.2          tcp dpt:9092 
MASQUERADE  tcp  --  172.26.0.2           172.26.0.2          tcp dpt:9005 
MASQUERADE  tcp  --  172.26.0.2           172.26.0.2          tcp dpt:443 

Chain DOCKER (4 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9092 to:172.26.0.2:9092 
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9005 to:172.26.0.2:9005 
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:172.26.0.2:443