4

I am using Docker 0.7.0 to create containers on RedHat Enterprise Linux 6.5. When firewall is turned off containers can talk to outside world, but when firewall is on, container cannot be accessed from outside.

This is how I am running the docker and mapping a port from host to container

$ docker run -i -t -p 3838:3838 shiny "shiny-server"

Without firewall, I can access Node.js server running inside a container on port 3838 from outside network as http://servername:3838, but not with firewall turned on.

These are my default firewall rules –

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

I have tried opening a port 3838 by adding a rule as below, but it does not work

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3838 -j ACCEPT

Docker is creating a virtual NAT on the host machine, I am feeling that somehow firewall is blocking the packet forwarding from eth0 to docker 0

I need help in configuring iptables so that docker containers can be accessed from outside network, without need to turn off the entire firewall.

This is the output of $ifconfig (I have masked the server IP)

docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::87d:8dff:fed0:f16d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:408321 errors:0 dropped:0 overruns:0 frame:0 TX packets:681809 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:126511933 (120.6 MiB) TX bytes:924200959 (881.3 MiB) eth0 Link encap:Ethernet HWaddr 00:25:64:A8:5B:8F inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.XXX Mask:255.255.240.0 inet6 addr: XXXX::XXX:XXXX:XXXX:XXXX/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29786186 errors:0 dropped:0 overruns:0 frame:0 TX packets:1137982 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4209047011 (3.9 GiB) TX bytes:234657696 (223.7 MiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8444 errors:0 dropped:0 overruns:0 frame:0 TX packets:8444 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4701771 (4.4 MiB) TX bytes:4701771 (4.4 MiB)

Output of $docker version :

Client version: 0.7.0 Go version (client): go1.1.2 Git commit (client): 0ff9bc1/0.7.0 Server version: 0.7.0 Git commit (server): 0ff9bc1/0.7.0 Go version (server): go1.1.2 Last stable version: 0.7.2, please update docker

Output of $docker info:

Containers: 321 Images: 278 Driver: devicemapper Pool Name: docker-8:17-13239310-pool Data file: /var/lib/docker/devicemapper/devicemapper/data Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata Data Space Used: 56464.5 Mb Data Space Total: 102400.0 Mb Metadata Space Used: 59.5 Mb Metadata Space Total: 2048.0 Mb
Improve this question

2 Answers 2

Reset to default
4

I believe you also have to allow the packets in on the FORWARD chain. You'll also need to make sure the ALLOW rules you're adding come before the REJECT rules, since iptables works on a first-match-wins basis.

Improve this answer
1
  • Could you please elaborate how would I do this? I have followed this tutorial, but have been unsuccessful centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html. BTW, I created a similar setup on ubuntu and changed DEFAULT_FORWRARD_POLICY from "DROP" to "ALLOW" and I seems to be able to access docker from outside. But I am unable to figure out how to do same with RedHat/CentOS Commented Jan 3, 2014 at 1:03
4

I had a similar problem, and the solution was missing Masquarading - also that would not explain why it works for you with no filter rules at all.

How about you try to add the following rules:

*filter [...] -A FORWARD -d 172.17.42.0/16 -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 172.17.42.0/16 -i docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o docker0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i docker0 -j REJECT --reject-with icmp-port-unreachable *nat [...] -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -p tcp -j MASQUERADE --to-ports 1016-65535 -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -p udp -j MASQUERADE --to-ports 1016-65535 -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -j MASQUERADE
Improve this answer
2
  • Thanks @liquidat. Actually this issues is now fixed with a recent Docker release. I am not sure about the details, but may be they did what you just suggested. Commented Jun 12, 2014 at 16:49
  • Ah, good to know. Still, I would be happy if you would give me at least an upvote, I'm still earning my reputation here ;-) Commented Jun 13, 2014 at 12:44

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.