Exposed ports from docker container cannot able to access on host server by IP Address in RedHat 8

Question

I am running docker container in RedHat 8. In my docker container, I exposed port 8080 for accessible from outside. I can able to telnet 8080 from other servers but I cannot able to telnet 8080 from host server by IP address.

[root@redhat1 biz]# cat docker-compose.yml 
version: '3'  
services:
  web:
    image: nginx:latest
    ports:
     - "8080:80"
    links:
     - php
  php:
    image: php:7-fpm

Exposed port 8080 cannot accessible from the host server by using IP address. It can able to telnet 8080 by localhost or 127.0.0.1.

Telnet 8080 from other server by IP address is OK.

Answer 1

Check the host server's firewall settings on firewalld for the port 8080 incoming.

You may need to modify the iptables rules on your host to permit connections from Docker containers. Something like this will do the trick:

iptables -A INPUT -i docker0 -j ACCEPT This would allow access to any ports on the host from Docker containers.

iptables rules are ordered, and this rule may, or may not perform what you would like to depending on other rules which come before this.

you will only be able to access host services that are either, listening on INADDR_ANY for example, 0.0.0.0 or that are explicitly listening on the docker0 interface.

Answer 2

If you followed @erig's advice or it did not seem to apply to you, the problem could be that you have a default DROP policy on your OUTPUT tables, like this:

-P OUTPUT DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Your may have whitelisted packets originating from lo (loopback), but the docker-proxy services must turn around and create a new connection on one of the br interfaces. Append this line to your ruleset, to see if it solves the problem:

-A OUTPUT -o br+ -m comment --comment "reach internal docker containers" -j ACCEPT

This ensures the proxy-service daemons can make the connection to their backend.

Answer 3

Locally generated packets do not pass through NAT PREROUTING which is where most "forward port" (DNAT) implementations add rules. This explains why your attempt to use the public IP address from a different server works.

The localhost case can be made to work by using the NAT OUTPUT chain. I expect docker is also adding a rule for this case.

e.g. docker probably has a rule like this:

# iptables -t nat -A OUTPUT -p tcp --dst 127.0.0.1 --dport 8080 -j REDIRECT --to-ports 80

What's probably missing is a similar rule that matches your public IP address. It's problematic because the rule needs to know your public IP. This might explain why docker doesn't generate this rule.

# iptables -t nat -A OUTPUT -p tcp --dst a.b.c.d --dport 8080 -j DNAT --to-destination 127.0.0.1:80

Firewalld doesn't block OUTPUT packets by default. Unless you have made changes yourself, then I think it's unlikely to be the cause. Disabling it temporarily would be a quick way to verify that.