Docker-proxy not working

Hi.
In a specific updated debian bullseye server, packets are not flowing between the host and the containers.
Tcpdump and iptables counters shows packets getting in from NIC but don’t reach the container.
Testing with an uptime-kuma docker.
It works from the debian host itself, but not from any other server in the local LAN.

I have another server with exactly the same SO & updates and it works fine!

Any ideia what may be blocking docker-proxy?

root@debian:~# uname -a
Linux debian 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
root@debian:~# docker ps
CONTAINER ID   IMAGE                    COMMAND                  CREATED         STATUS                   PORTS                                       NAMES
d9993d294cae   louislam/uptime-kuma:1   "/usr/bin/dumb-init …"   9 seconds ago   Up 9 seconds (healthy)   0.0.0.0:3001->3001/tcp, :::3001->3001/tcp   uptime-kuma
root@debian:~# systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-11-19 11:14:32 WET; 4h 11min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 168935 (dockerd)
      Tasks: 35
     Memory: 147.4M
        CPU: 10.965s
     CGroup: /system.slice/docker.service
             ├─168935 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
             ├─244309 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3001 -container-ip 172.17.0.2 -container-port 3001
             └─244319 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3001 -container-ip 172.17.0.2 -container-port 3001

You can check the MTU of the interfaces of Docker and your LAN. Big differences can have a result of data loss.

I’M not sure I understand this. What is that works from the host and how are other machines on the LAN related to the traffic between the host and the container?

Network issues are often caused by a firewall on the machine like ufw.

1 Like

Hi Ákos.

In fact you were right, I had a previous old filter added with nft (visible with “nft list ruleset”), but when I issued “iptables -L -n -v” or “iptables-save” that initial filter was not appearing.
Only when you suggested “ufw” I remembered using “nft” in the past!
Sorry wasting your time, but many thanks to you, I’ve seen quite a lot of questions you were very helpfull around here. Please keep on the good work :slight_smile:

No problem :slight_smile: Thank you for coming back to share the solution!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.