1

I've run portainer image using:

docker run -d -P -p 9000:9000 portainer/portainer

But can only access the web at port 9000 locally using lynx. I allow firewall on port 9000 both incoming and outgoing, so that shouldn't be the problem.

$sudo iptables -t filter -L -n -v | grep 9000 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000

But I have hard time interpreting NAT table, which may be the suspect.

$ sudo iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 7 packets, 420 bytes) pkts bytes target prot opt in out
source destination 415 24676 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 60 bytes) pkts bytes target
prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target
prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 

0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9000

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.2:9000

Can anyone help me out here?

Update1:

I tried the same command on another Ubuntu server with the same docker version but it works. The only difference in NAT table after run & bind the container is a record of POSTROUTING that says,

pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 10.0.0.0/8 0.0.0.0/0

But I think this may not be related, or is it?

Ubuntu 16.04 Docker version 17.05.0-ce, build 89658be

user2194229
  • 11
  • 1
  • 4
  • 1
    The output of `iptables -t nat -L -n` does not show all the details. You need to include `-v` option to show the in/out interfaces like `docker0`. How are you trying to access the port 9000? What is the destination address? – Khaled May 30 '17 at 08:12
  • Your rules looks OK when compared with mine (assuming the missing data is similar). – Khaled May 30 '17 at 08:13
  • I re-run the command with '-v' option, I'm trying to access from browser in different machine with URL http://:9000 but no response. – user2194229 May 30 '17 at 08:24
  • Check if `tcpdump -i eth0 -n port 9000` shows any packets (replace eth0 with the name of your public interface). – AlexD May 30 '17 at 13:29
  • @AlexD I ran `sudo tcpdump -i ens3 -n port 9000` and try requesting it from other host's browser, still nothing come up. The server also has a web running on https (443) which can be accessed and probe using above command, so no problem with the interface itself. Any idea? – user2194229 May 31 '17 at 00:39

1 Answers1

0

Thanks everyone for helping out in the comments,

It turns out I just use nmap <host> to check opening port and found that 9000 is not opened, though internal firewall/iptables say otherwise.

then I remember that the VPS I'm using has another external firewall layer which I've to config as well. Stupid me, but I learn the basic tracing process/cmds. Thx guys!

user2194229
  • 11
  • 1
  • 4