Able to connect to some ports open in iptables and not others

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












This is arch linux, kernel 4.18.0-rc3.



I've run these commands:



iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Allow local
iptables -A INPUT -i lo -j ACCEPT

# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT

# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


And running iptables -nvL produces:



Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000


Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:



Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds


So, the bit that doesn't work



  • port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker

  • port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker

I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?



Edit:



$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/…" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon of…" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.s…" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodae…" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1

$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323






share|improve this question





















  • Can you show the docker ps output, I'd like to see how the containers are set up.
    – slm♦
    Jul 4 at 23:32










  • Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
    – slm♦
    Jul 4 at 23:54










  • Also, the exact nmap command.
    – Jeff Schaller
    Jul 5 at 2:18






  • 1




    This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
    – Bananguin
    Jul 5 at 8:13










  • Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
    – rich
    Jul 5 at 8:22















up vote
1
down vote

favorite












This is arch linux, kernel 4.18.0-rc3.



I've run these commands:



iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Allow local
iptables -A INPUT -i lo -j ACCEPT

# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT

# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


And running iptables -nvL produces:



Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000


Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:



Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds


So, the bit that doesn't work



  • port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker

  • port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker

I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?



Edit:



$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/…" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon of…" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.s…" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodae…" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1

$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323






share|improve this question





















  • Can you show the docker ps output, I'd like to see how the containers are set up.
    – slm♦
    Jul 4 at 23:32










  • Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
    – slm♦
    Jul 4 at 23:54










  • Also, the exact nmap command.
    – Jeff Schaller
    Jul 5 at 2:18






  • 1




    This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
    – Bananguin
    Jul 5 at 8:13










  • Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
    – rich
    Jul 5 at 8:22













up vote
1
down vote

favorite









up vote
1
down vote

favorite











This is arch linux, kernel 4.18.0-rc3.



I've run these commands:



iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Allow local
iptables -A INPUT -i lo -j ACCEPT

# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT

# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


And running iptables -nvL produces:



Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000


Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:



Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds


So, the bit that doesn't work



  • port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker

  • port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker

I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?



Edit:



$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/…" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon of…" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.s…" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodae…" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1

$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323






share|improve this question













This is arch linux, kernel 4.18.0-rc3.



I've run these commands:



iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Allow local
iptables -A INPUT -i lo -j ACCEPT

# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT

# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


And running iptables -nvL produces:



Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000


Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:



Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds


So, the bit that doesn't work



  • port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker

  • port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker

I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?



Edit:



$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/…" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon of…" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.s…" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodae…" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1

$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323








share|improve this question












share|improve this question




share|improve this question








edited Jul 5 at 8:15
























asked Jul 4 at 20:24









rich

12516




12516











  • Can you show the docker ps output, I'd like to see how the containers are set up.
    – slm♦
    Jul 4 at 23:32










  • Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
    – slm♦
    Jul 4 at 23:54










  • Also, the exact nmap command.
    – Jeff Schaller
    Jul 5 at 2:18






  • 1




    This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
    – Bananguin
    Jul 5 at 8:13










  • Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
    – rich
    Jul 5 at 8:22

















  • Can you show the docker ps output, I'd like to see how the containers are set up.
    – slm♦
    Jul 4 at 23:32










  • Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
    – slm♦
    Jul 4 at 23:54










  • Also, the exact nmap command.
    – Jeff Schaller
    Jul 5 at 2:18






  • 1




    This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
    – Bananguin
    Jul 5 at 8:13










  • Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
    – rich
    Jul 5 at 8:22
















Can you show the docker ps output, I'd like to see how the containers are set up.
– slm♦
Jul 4 at 23:32




Can you show the docker ps output, I'd like to see how the containers are set up.
– slm♦
Jul 4 at 23:32












Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
– slm♦
Jul 4 at 23:54




Also please show the output of netstat -tapn, specifically focus on the docker containers. They should be listening on the correct IPs.
– slm♦
Jul 4 at 23:54












Also, the exact nmap command.
– Jeff Schaller
Jul 5 at 2:18




Also, the exact nmap command.
– Jeff Schaller
Jul 5 at 2:18




1




1




This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
– Bananguin
Jul 5 at 8:13




This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
– Bananguin
Jul 5 at 8:13












Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
– rich
Jul 5 at 8:22





Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
– rich
Jul 5 at 8:22











1 Answer
1






active

oldest

votes

















up vote
0
down vote













DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:



/usr/bin/dockerd -H fd://



I had this overridden to expose the docker daemon on a TCP port



/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock



What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.






share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453492%2fable-to-connect-to-some-ports-open-in-iptables-and-not-others%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:



    /usr/bin/dockerd -H fd://



    I had this overridden to expose the docker daemon on a TCP port



    /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock



    What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.






    share|improve this answer

























      up vote
      0
      down vote













      DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:



      /usr/bin/dockerd -H fd://



      I had this overridden to expose the docker daemon on a TCP port



      /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock



      What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:



        /usr/bin/dockerd -H fd://



        I had this overridden to expose the docker daemon on a TCP port



        /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock



        What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.






        share|improve this answer













        DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:



        /usr/bin/dockerd -H fd://



        I had this overridden to expose the docker daemon on a TCP port



        /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock



        What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.







        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 5 at 10:29









        rich

        12516




        12516






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453492%2fable-to-connect-to-some-ports-open-in-iptables-and-not-others%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?