having a fresh off the shelf Ubuntu 22.04 installation and installed docker according the book.
I also spinned up three containers using docker-compose and they show fine using docker ps
.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
60cf25f59a92 jc21/nginx-proxy-manager:latest "/init" 48 minutes ago Up 8 minutes 0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp infra_nginx_proxy_1
f8081b137abf graylog/graylog:4.2 "tini -- /docker-ent…" 55 minutes ago Up 8 minutes (healthy) 0.0.0.0:1514->1514/tcp, :::1514->1514/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp infra_graylog_1
d3fef3332752 elasticsearch:7.9.3 "/tini -- /usr/local…" 55 minutes ago Up 8 minutes 9200/tcp, 9300/tcp infra_elasticsearch_1
6b7920e89790 mongo:4.4.9 "docker-entrypoint.s…" 56 minutes ago Up 8 minutes 27017/tcp infra_mongo_db_1
Now, when trying to curl one of the locally, all fine
root$: curl http://localhost:81
<!doctype html><html lang="en" dir="ltr"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1">...
But the same curl (against the public IP of course) ends in timeout.
Doing tcpdump on the docker host reveals this, traffic is arriving
root$: tcpdump port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:53:34.520888 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217328475 ecr 0,nop,wscale 7], length 0
19:53:35.535503 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217329490 ecr 0,nop,wscale 7], length 0
19:53:37.551436 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217331506 ecr 0,nop,wscale 7], length 0
19:53:41.775510 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217335730 ecr 0,nop,wscale 7], length 0
iptables - all docker generated - look like this
sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:81
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:9000
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:1514
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
And even nmap
shows that all doors are open
root$: sudo nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-12 19:56 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
81/tcp open hosts2-ns
443/tcp open https
9000/tcp open cslistener
Interestingly, when spinning up a local webserver, e.g. with python3 -m http.server 81
it spins up (after having shut down the containers) and it is reachable. So an issue with external firewall or even the host operating system I can quite of nail out...
Please help and advice..