Able to connect to some ports open in iptables and not others
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
This is arch linux, kernel 4.18.0-rc3.
I've run these commands:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Allow local
iptables -A INPUT -i lo -j ACCEPT
# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT
# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And running iptables -nvL
produces:
Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000
Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds
So, the bit that doesn't work
- port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker
- port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker
I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?
Edit:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/â¦" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon ofâ¦" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.sâ¦" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodaeâ¦" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1
$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323
iptables
add a comment |Â
up vote
1
down vote
favorite
This is arch linux, kernel 4.18.0-rc3.
I've run these commands:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Allow local
iptables -A INPUT -i lo -j ACCEPT
# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT
# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And running iptables -nvL
produces:
Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000
Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds
So, the bit that doesn't work
- port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker
- port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker
I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?
Edit:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/â¦" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon ofâ¦" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.sâ¦" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodaeâ¦" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1
$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323
iptables
Can you show thedocker ps
output, I'd like to see how the containers are set up.
â slmâ¦
Jul 4 at 23:32
Also please show the output ofnetstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.
â slmâ¦
Jul 4 at 23:54
Also, the exactnmap
command.
â Jeff Schaller
Jul 5 at 2:18
1
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
This is arch linux, kernel 4.18.0-rc3.
I've run these commands:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Allow local
iptables -A INPUT -i lo -j ACCEPT
# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT
# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And running iptables -nvL
produces:
Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000
Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds
So, the bit that doesn't work
- port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker
- port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker
I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?
Edit:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/â¦" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon ofâ¦" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.sâ¦" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodaeâ¦" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1
$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323
iptables
This is arch linux, kernel 4.18.0-rc3.
I've run these commands:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Allow local
iptables -A INPUT -i lo -j ACCEPT
# Allow services
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -s 192.168.0.0/24 -j ACCEPT
# Allow established
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
And running iptables -nvL
produces:
Chain INPUT (policy DROP 2120 packets, 121K bytes)
pkts bytes target prot opt in out source destination
116 15649 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
36 2432 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
1 44 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
4 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:8000
Which I think looks good, I've omitted some extra docker chains that it adds itself. But then if I nmap from another host on the network I get:
Host is up (0.0020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp closed https
MAC Address: D4:5D:DF:13:98:A5 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds
So, the bit that doesn't work
- port 80 isn't there, but ss shows me it's listening and I can curl to it - nginx running in docker
- port 53 is there, and ss shows me it's listening but I can't dig it, it times out - dnsmasq not running in docker
I'm assuming these are related as if I stop the iptables service everything goes through ok, not sure which way to go next though. Any suggestions what I'm missing?
Edit:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7c91645b13e0 jenkins/jenkins:lts "/sbin/tini -- /usr/â¦" 11 hours ago Up 11 hours 8080/tcp, 50000/tcp jenkins_jenkins_1
be584769dae7 nginx:1 "nginx -g 'daemon ofâ¦" 11 hours ago Up 10 hours 0.0.0.0:80->80/tcp website_nginx_1
6fdc045ae863 mongo:3 "docker-entrypoint.sâ¦" 36 hours ago Up 11 hours 27017/tcp wikijs_mongo_1
abf884b83aeb requarks/wiki "supervisord --nodaeâ¦" 36 hours ago Up 11 hours 3000/tcp wikijs_wiki_1
$ ss -tlan
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 0 192.168.0.12:34196 192.168.0.209:8009
TIME-WAIT0 0 192.168.0.12%enp5s0:37082 138.201.81.199:80
ESTAB 0 0 192.168.0.12:58514 151.101.17.140:443
ESTAB 0 0 192.168.0.12:22 192.168.0.99:58500
ESTAB 0 0 192.168.0.12:34380 192.168.0.147:8009
ESTAB 0 0 172.19.0.1:59316 172.19.0.3:80
ESTAB 0 0 172.19.0.1:59304 172.19.0.3:80
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:4243 *:*
LISTEN 0 32 [::]:53 [::]:*
LISTEN 0 128 [::]:22 [::]:*
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60214
ESTAB 0 0 [::ffff:192.168.0.12]:80 [::ffff:192.168.0.99]:60323
iptables
edited Jul 5 at 8:15
asked Jul 4 at 20:24
rich
12516
12516
Can you show thedocker ps
output, I'd like to see how the containers are set up.
â slmâ¦
Jul 4 at 23:32
Also please show the output ofnetstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.
â slmâ¦
Jul 4 at 23:54
Also, the exactnmap
command.
â Jeff Schaller
Jul 5 at 2:18
1
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22
add a comment |Â
Can you show thedocker ps
output, I'd like to see how the containers are set up.
â slmâ¦
Jul 4 at 23:32
Also please show the output ofnetstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.
â slmâ¦
Jul 4 at 23:54
Also, the exactnmap
command.
â Jeff Schaller
Jul 5 at 2:18
1
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22
Can you show the
docker ps
output, I'd like to see how the containers are set up.â slmâ¦
Jul 4 at 23:32
Can you show the
docker ps
output, I'd like to see how the containers are set up.â slmâ¦
Jul 4 at 23:32
Also please show the output of
netstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.â slmâ¦
Jul 4 at 23:54
Also please show the output of
netstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.â slmâ¦
Jul 4 at 23:54
Also, the exact
nmap
command.â Jeff Schaller
Jul 5 at 2:18
Also, the exact
nmap
command.â Jeff Schaller
Jul 5 at 2:18
1
1
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:
/usr/bin/dockerd -H fd://
I had this overridden to expose the docker daemon on a TCP port
/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:
/usr/bin/dockerd -H fd://
I had this overridden to expose the docker daemon on a TCP port
/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.
add a comment |Â
up vote
0
down vote
DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:
/usr/bin/dockerd -H fd://
I had this overridden to expose the docker daemon on a TCP port
/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:
/usr/bin/dockerd -H fd://
I had this overridden to expose the docker daemon on a TCP port
/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.
DNS not working was because iptables was allowing TCP not UDP. That's straightforward. HTTP I understand a little less, but by default the docker daemon runs as:
/usr/bin/dockerd -H fd://
I had this overridden to expose the docker daemon on a TCP port
/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
What this has to do with the ports that the container services run on, I don't know. But by not exposing the docker daemon (I did need that, no longer do) it's working now.
answered Jul 5 at 10:29
rich
12516
12516
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453492%2fable-to-connect-to-some-ports-open-in-iptables-and-not-others%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Can you show the
docker ps
output, I'd like to see how the containers are set up.â slmâ¦
Jul 4 at 23:32
Also please show the output of
netstat -tapn
, specifically focus on the docker containers. They should be listening on the correct IPs.â slmâ¦
Jul 4 at 23:54
Also, the exact
nmap
command.â Jeff Schaller
Jul 5 at 2:18
1
This is a strange INPUT chain, if I have ever seen one. But I suppose it works. Are you certain your dnsmasq is listening on TCP port 53? Usually DNS uses UDP, but I suppose TCP can work as well these days.
â Bananguin
Jul 5 at 8:13
Added most of the requested output above - I think bind addresses, etc are probably ok as it all works if I stop iptables (and because of the ss output - arch ships with this instead of netstat). UDP was a good catch on DNS - that works now. The nmap command was just the default against the host, no flags. Happy to take less strange iptables setup suggestions if that helps!
â rich
Jul 5 at 8:22