Docker swarm not reacheable from outside the VM (please help)

Docker Engine Swarm
1

Hello all,

I have a docker swarm network problem:

when using docker stack deploy , network is not reachable from outside the VM (but it does work from inside the VM)
I do see the iptables nat and network and from inside the VM it works (curl localhost:)

I am running latest version of docker-ce 18.06.1-ce
I do see traffic coming into the interface eth0 via tcpdump
I suspect something is going wrong with iptables ! please help

I have tried running it in many different OS/servers always with the same problem…
Using a haproxy (outside docker) on the host works but will be a good solution I need stick-mode from traefik…

I have spent over 10 hours trying to get this work, please help me out
Is this how it suposed to be? No access from outside?
can I unblock that, and permit access to ingress network?

all details:
https://pastebin.com/dQzKubmR

IPTABLES output

Generated by iptables-save v1.6.0 on Thu Aug 23 17:22:06 2018

*mangle
:PREROUTING ACCEPT [1421:151494]
:INPUT ACCEPT [1200:101888]
:FORWARD ACCEPT [57:3180]
:OUTPUT ACCEPT [1308:181016]
:POSTROUTING ACCEPT [1365:184196]
COMMIT

Completed on Thu Aug 23 17:22:06 2018

Generated by iptables-save v1.6.0 on Thu Aug 23 17:22:06 2018

*nat
:PREROUTING ACCEPT [201:52062]
:INPUT ACCEPT [37:5636]
:OUTPUT ACCEPT [20:2044]
:POSTROUTING ACCEPT [35:2864]
:DOCKER - [0:0]
:DOCKER-INGRESS - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o docker_gwbridge -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i docker_gwbridge -j RETURN
-A DOCKER-INGRESS -p tcp -m tcp --dport 30000 -j DNAT --to-destination 172.18.0.2:30000
-A DOCKER-INGRESS -p tcp -m tcp --dport 5001 -j DNAT --to-destination 172.18.0.2:5001
-A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.2:8080
-A DOCKER-INGRESS -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.2:5000
-A DOCKER-INGRESS -j RETURN
COMMIT

Completed on Thu Aug 23 17:22:06 2018

Generated by iptables-save v1.6.0 on Thu Aug 23 17:22:06 2018

*filter
:INPUT ACCEPT [1199:101659]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1074:149924]
:DOCKER - [0:0]
:DOCKER-INGRESS - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-INGRESS
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
-A DOCKER-INGRESS -p tcp -m tcp --dport 30000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 30000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 5001 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 5001 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 8080 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 5000 -j ACCEPT
-A DOCKER-INGRESS -j RETURN
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

this is my details
https://pastebin.com/AuqWp2Zv