IPTables rules not created with non-explicit service port bindings

johnharris85 · September 28, 2017, 12:39am

I have a weird issue, whenever I create a service (either docker service create... or via stack file, if I create an explicit port mapping "30000:8080" etc… I can access the service and iptables rules are created.

Edit: IPtables rules that are created:

-A DOCKER-INGRESS -p tcp -m tcp --dport 30000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 30000 -j ACCEPT

However if I just put a single port and ask Docker to pick an ingress port "8080" no iptables rule is created and I can’t access the service). Anyone seen this before / got any debugging suggestions?

Occurring on 17.03 in a client environment, but I can’t reproduce with 17.03 locally. Same behavior happens whether with an external network, or an automatically created network, or no network and just put on ingress,. The difference is whether I give a pair of ports (explicit mapping), or just a single (and let Docker pick). The ‘docker picked’ port is never added to iptables and the service is inaccessible.

Topic		Replies	Views
Docker service create - a wrong iptables nat rule is created Swarm	0	946	June 30, 2019
Service port not accessible from outside Swarm docker , swarm	1	5009	March 7, 2018
Automatically binded Ports for swarm services Swarm docker	0	1717	February 1, 2017
Understanding iptables rules added by docker General docker	2	40859	December 20, 2023
My routing mesh is not exposing ports on all nodes Swarm	1	46	July 28, 2024

IPTables rules not created with non-explicit service port bindings

Related topics