Docker Community Forums

Share and learn in the Docker community.

[Solved]Docker IPTables rules not allowing connection to host interface

  • Host-system: Debian 5.8.0-0.bpo.2-amd64
  • Docker: 19.03.13, build 4484c46d9d
  • Host IP: 192.168.1.21 {I sit on the same subnet.}
  • Host Interface: ens192
  • Goal: From my PC(192.168.1.x) connect to the host(192.168.1.21) via port 81 to access WebGUI for OMV. Docker iptables rules are causing a problem.

I’m running OpenMediaVault 5.x with Docker on the host machine and was able to access the OpenMediaVault WebGUI through 192.168.1.21:80.

To avoid conflict with a container that needs to use port 443 and 80, I switched the OMV WebGUI port to 81. Now I only get refused connection when I try to connect to said WebGUI.

I read throught the documentation and found I need to use DOCKER-USER to set up my own iptables rules, but I am at lost here what to configure in DOCKER-USER. Here is the iptables-save output

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-94326f21ec35 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-94326f21ec35 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000
-A DOCKER ! -i br-94326f21ec35 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 172.17.0.2:8000
-A DOCKER ! -i br-94326f21ec35 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
COMMIT

Completed on Wed Nov 18 10:28:22 2020

Generated by xtables-save v1.8.2 on Wed Nov 18 10:28:22 2020

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-94326f21ec35 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-94326f21ec35 -j DOCKER
-A FORWARD -i br-94326f21ec35 ! -o br-94326f21ec35 -j ACCEPT
-A FORWARD -i br-94326f21ec35 -o br-94326f21ec35 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-94326f21ec35 -o br-94326f21ec35 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-94326f21ec35 -o br-94326f21ec35 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-94326f21ec35 ! -o br-94326f21ec35 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-94326f21ec35 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

Thanks in advance.

I’ve encountered very similar situation but adding -A INPUT -i docker0 -j ACCEPT will open all accesses over my eth0 interface of docker host to containers which is absolutely not what I intended.

And since I noticed that my container just had limited access(say only port 22) to host interface instead of totally shut down from host network, I reviewed my iptables rules and found a rule in chain IN_public_allow which should be responsible for this. The rule is -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT. So I added similar rules to allow my container to access other host ports desired, which I think could be a bit more precise way to open host network access to containers.

Thing is, I do not have such Chain to configure. The output i provided is what I have. :/// but still appreciate your answer.

Mystery solved. Checked all logs and found in the end the culprint was a server setting that should be in a http setting, but was instead placed in a mail setting for ngiinx.conf