3

I have a similar problem to this post here, though I don't think my IP ranges collide: https://forums.docker.com/t/service-is-unreachable-on-host-ip-localhost-works/78515

I'm exposing a webserver via docker on port 443 and I can access it via 127.0.0.1:443 as well as from outside the host. I cannot access that webserver via the host IP and I am pulling my hair out why this may be.

To make things reproducible, let me fire up a netcat container (that is listening on all interfaces inside the container) - I have the same problem on port 443 obviously:

$ docker run -ti --rm -p 8182:8182 chilcano/netcat:jessie -vvl -p 8182
->>>>>> (Executing '/bin/netcat -vvl -p 8182') <<<<<<-
listening on [any] 8182 ...

Docker is listening on all local interfaces on 8182 ✅

$  lsof -i :8182
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
docker-pr 11152 root    4u  IPv4 1183427772      0t0  TCP *:8182 (LISTEN)

Connecting to netcat in docker from the host works when using localhost ✅

$  nc -vz 127.0.0.1 8182
localhost [127.0.0.1] 8182 open

the problem starts when using the local host's IP and trying to reach the docker container like that ❌

$  nc -vz 192.168.176.111 8182
ramirez.domain.local [192.168.176.111] 8182: Network is unreachable

I can ping the host just fine and access other things that run on the host via its IP (e.g. running netcat -vvl -p 8182 directly on the host instead of the docker container everything works).

When calling the same IP from another device in the network, everything works ✅, so this is a local problem of the docker host

$  nc -vz 192.168.176.111 8182
Connection to 192.168.176.111 8182 port [tcp/*] succeeded!

The routing table as well as iptables looks fine to me, but I'm no expert.

$ ip a
# anonymized mac address
6: ovs_eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.176.111/24 brd 192.168.176.255 scope global ovs_eth0
       valid_lft forever preferred_lft forever

route:

$  ip route
default via 192.168.176.1 dev ovs_eth0  src 192.168.176.111
169.254.0.0/16 dev ovs_eth1  proto kernel  scope link  src 169.254.106.154 dead linkdown
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
192.168.127.0/24 dev docker-976f9fbf  proto kernel  scope link  src 192.168.127.1
192.168.128.0/24 dev docker-bd2edfee  proto kernel  scope link  src 192.168.128.1
192.168.176.0/24 dev ovs_eth0  proto kernel  scope link  src 192.168.176.111
192.168.254.0/24 dev docker-2de11f77  proto kernel  scope link  src 192.168.254.1

iptables:

$  iptables -L -v -n
Chain INPUT (policy ACCEPT 78080 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination
 210M  299G DOS_PROTECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 218M  241G DEFAULT_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 76525 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DEFAULT_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
 230K  276M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 231K  276M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
7254K   23G ACCEPT     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
19005 1140K DOCKER     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
4614K 1362M ACCEPT     all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
19005 1140K ACCEPT     all  --  docker-f06ef418 docker-f06ef418  0.0.0.0/0            0.0.0.0/0
2270K 2424M ACCEPT     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1549K  101M DOCKER     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1814K 1273M ACCEPT     all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1549K  101M ACCEPT     all  --  docker-f95cea99 docker-f95cea99  0.0.0.0/0            0.0.0.0/0
  14M 8442M ACCEPT     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
14118  846K DOCKER     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 7237  714K ACCEPT     all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
14118  846K ACCEPT     all  --  docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 5238   23M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 3332  216K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            192.168.254.254      tcp dpt:2375
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.127      tcp dpt:8888
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:8080
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:443
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:80
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8182

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
4614K 1362M DOCKER-ISOLATION-STAGE-2  all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
1814K 1273M DOCKER-ISOLATION-STAGE-2  all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
 7237  714K DOCKER-ISOLATION-STAGE-2  all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 3332  216K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
98306 8258K DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  38M   19G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOS_PROTECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13   876 RETURN     icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1000/sec burst 5
    0     0 DROP       icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 270K   11M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04 limit: avg 1/sec burst 5
16881  675K DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04
 347K   20M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 10000/sec burst 100
    0     0 DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
Dennis G
  • 588
  • 3
  • 6
  • 20
  • show `iptables -L -v -n` – AlexD Jan 27 '22 at 14:51
  • I updated with `iptables -L -v -n` – Dennis G Jan 28 '22 at 22:29
  • Are you on a "home" network? If so many home routers don't allow accessing your own external IP. See https://superuser.com/q/1047745/2013 Try using a web proxy like https://hidester.com/proxy/ – Nifle Feb 02 '22 at 08:57
  • The IP I'm trying to access is the internal IP, not external IP - i.e. it is just the IP the router assigns my docker host (in this case its static). When using the external WAN IP everything works. – Dennis G Feb 03 '22 at 10:39

0 Answers0