Not able to connect from docker container to local host

radiatejava · August 12, 2016, 11:34pm

I am trying to connect to my https service (port 443) on docker host’s public (LAN) ip from the docker container but I am not able to. Container is not able to ping the public i.e. LAN ip of the host as well. I am using the default bridge network for the container and default docker0 config. I know this should work fine (because I have tried it before). My host IP is 172.23.166.174. I am posting the firewall output here, I am suspecting this could be firewall issue but I need confirmation:

[root@myhost ~]# iptables -n -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
SXP        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:64999
RATELIMIT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  172.17.0.0/16        169.254.1.0/24      
DROP       all  --  169.254.1.0/24       172.17.0.0/16       
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 14
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain CONNLIMIT (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060 flags:0x17/0x02 #conn src/0 > 10 reject-with icmp-port-unreachable
DEFAULTCHAIN  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DEFAULTCHAIN (1 references)
target     prot opt source               destination         
PROD_FW_NGFD_CHAIN  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7802
PROD_FW_NG_CHAIN  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7800
PROD_FW_JGRP_CHAIN  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:12001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
PROD_FW_ORACLE_CHAIN  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1521
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 13
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:161
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1645
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1812
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1646
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1813
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:8905
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:9993
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:20514
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1700
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:3799
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:40514
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:49
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8905
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8909
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8910
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1468
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6514
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9094
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9095
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:11468
PXGRID     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5222
PXGRID     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7400
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:2083
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:547
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9060
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9002
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:162
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2560
ACCEPT     2    --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (4 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            169.254.1.4          tcp dpt:3000

Chain PROD_FW_JGRP_CHAIN (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:12001

Chain PROD_FW_NGFD_CHAIN (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7802

Chain PROD_FW_NG_CHAIN (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7800

Chain PROD_FW_ORACLE_CHAIN (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  172.23.166.174       0.0.0.0/0            tcp dpt:1521

Chain PXGRID (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.23.166.174       tcp dpt:5222
ACCEPT     tcp  --  172.23.166.174       0.0.0.0/0            tcp dpt:7400

Chain RATELIMIT (1 references)
target     prot opt source               destination         
CONNLIMIT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain SXP (1 references)
target     prot opt source               destination

radiatejava · August 16, 2016, 6:44am

So far I did not get the reply but right now I want a clarification. I have kept the docker0 bridge in a custom network like this:
/bin/docker daemon --bip=169.254.0.254/24 --fixed-cidr=169.254.0.0/24

And I created a network like this where I have put all all my containers.
docker network create --driver=bridge --subnet=169.254.1.0/24 --ip-range=169.254.1.0/25 --gateway=169.254.1.1

I have web server running on the local host at its (LAN) IP 172.23.166.174. From the container, I want to talk to web server using https://172.23.166.174:443/ but this is failing. Container is not able to reach the LAN ip of the host. Any other node in the same LAN like 172.23.166.175 or outside like www.google.com, it is able to reach fine.

I want to know what I am doing wrong. Appreciate the reply, thanks.

keithroberts · August 18, 2016, 9:29am

Hi there.

You can access the Docker host from a container using the bridge default gateway of 172.17.0.1

This is the first IP address assigned on the bridge network before any containers get their IP’s assigned:

vagrant@vagrant-ubuntu-trusty-64:/$ docker network inspect bridge
[
{
“Name”: “bridge”,
“Id”: “174f7293b1ebe9826c863e83bb443127ee03b83fec5be999c8bb4b2e9123d69e”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “172.17.0.0/16”,
“Gateway”: “172.17.0.1”
}
]
},

HTH

Keith

radiatejava · August 18, 2016, 10:09pm

I know from container I can communicate to the docker0 ip address. I am looking for communication from the container to the host’s original public ip address (that was assigned to it, for example to its eth0 ip).

johncicilio · January 20, 2017, 9:08pm

I am seeing the same error with changing the default bridge network or adding another bridge network with a different ip range. Please let me know if you have found a resolution to this.

dmmatos · March 2, 2018, 9:08am

Hello @radiatejava, did you find a solution? on how to access a machine outside the docker network (docker0), as you mentioned, for example in eth0?

Topic		Replies	Views
Connecting from container to public ip of docker host General docker	1	1105	June 28, 2023
Can't access bridged docker containers with LAN IP General	3	4525	February 20, 2022
Docker Service Only Accessible from Localhost and not Host's LAN IP General docker	1	1077	June 24, 2023
Cannot access container via external IP but can access via host IP with port General	1	4605	October 6, 2020
Network : Lost Host IP General docker	1	2826	October 28, 2015

Not able to connect from docker container to local host

Related topics