Re: [Shorewall-users] Shorewall and Docker - Port Forwarding

Wed, 27 Oct 2021 23:41:48 -0700 

On 10/26/2021 3:19 PM, Philipp Berger wrote:

On 24.10.2021 18:36, Matt Darfeuille wrote:

On 10/20/2021 6:47 PM, Philipp Berger wrote:

Dear all,

I am trying to access SSH in a Docker container via a port forwarding
from Docker, which works via IPv6 but not IPv4 (!).

Setup:
enp35s0, main interface to world, IPv4 144.76.173.241
docker0, docker bridge interface, Container IP is 172.17.0.4

Docker file has " --publish 9202:22" meaning bind host 0.0.0.0:9202
and forward to container:22.
In Shorewall, net to $FW has tcp/9202 as allowed.

Observations:
  - Connection to 144.76.173.241:9202 does not work (Network
unreachable), IPv6 connection does work (SSH connection established).
  - Connection from the Docker Container to 144.76.173.241:9202 works
(via IPv4, as Docker is IPv4-only!), SSH connection works.

Also:
# cat /etc/shorewall/shorewall.conf | grep DOCKER
DOCKER=Yes


This facility will be dropped eventually.


# cat /proc/sys/net/ipv4/ip_forward
1



After Shorewall is started?

Yes



/sbin/shorewall dump: attached!

Connection tried from 109.91.174.146 to 144.76.173.241:9202.


I assume some kind of masquerading is missing, but I am way out of my
depth here. Any ideas?
At some point I also tried removing the publish command from Docker
and used "DNAT net docker:172.17.0.4:22 tcp 9202", which also did not
work.



Try substituting '22' by '9202'.


Why? The container is listening on :22, only the host is supposed to
listen on 9202, see " --publish 9202:22". Also, :22 on the host system
is taken. Or is this a change/fix that I do not understand?



With your current set up, you let docker DNAT the port 9202 to 22.
So from your public IP you would need to DNAT port 9202 to 9202 and then let dockert DNAT 9202 to 22. 

I would suggest to disable the docker firewall and to soley use  Shorewall.

--
Matt Darfeuille <m...@shorewall.org>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to