6

I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. I changed the DOCKER settings options in /etc/csf/csf.conf to 1 to allow docker to change iptable rules.

If I am starting my container with -p 8000:8000, the port 8000 is exposed to the whole world (I can access the website with mydomain.com:8000, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000 I can't access it with mydomain.com:8000 (which is great), but in both cases calling localhost:8000 will result in an ERR_EMPTY_RESPONSE error in Chrome or curl: (52) Empty reply from server in the terminal.

Tried it with different containers and different ports. After disabling csf, it works without the empty-reply-error so is must be related to csf.

How to configure csf to expose and access docker container over specific ports only locally?

Sidenote: I am working remotely on the server with ssh [email protected] -L 8000:localhost:8000.

Improve this question
1
  • thanks for your question, before this moment i exposed to public the port, now the ports only be allowed by the nginx proxy Commented Dec 28, 2021 at 5:18

1 Answer 1

Reset to default
6

Had the same scenario. Found that packets from lo to docker0 were being blocked by CSF's OUTPUT ruleset.

Resolved by adding "docker0" to ETH_DEVICE_SKIP, which causes CSF to add a blanket ACCEPT rule to the INPUT and OUTPUT chains for this interface. This should not be a problem since AFAIK docker0 should never be bound to a physical interface, but someone with more Docker experience might know otherwise.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.