Dear Matt,
there seems to be a bit of a mixup:
The DNAT command I have tried as an alternative to the docker publish (" At some point I also tried removing the publish command from Docker and used "DNAT net docker:172.17.0.4:22 tcp 9202", which also did not work.").
My main concern is that in both cases, even in those _only using Shorewall and no Docker constructs_, it does not work. Especially interesting to me is that it works for IPv6 but not IPv4.
Sadly, I have no further idea on how to debug this issue - maybe I am missing a MASQUERADE or something, I just don't know enough.
Also:
You mentioned before that " DOCKER=Yes" will be dropped eventually. What is the intended replacement? My main concern is that the Container IPs can constantly change and I do not want to hand-update the firewall every time a container restarts. Is there an easier way I am not seeing?
Thank you,
Philipp
Gesendet: Donnerstag, 28. Oktober 2021 um 08:40 Uhr
Von: "Matt Darfeuille" <m...@shorewall.org>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Shorewall and Docker - Port Forwarding
Von: "Matt Darfeuille" <m...@shorewall.org>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Shorewall and Docker - Port Forwarding
On 10/26/2021 3:19 PM, Philipp Berger wrote:
> On 24.10.2021 18:36, Matt Darfeuille wrote:
>> On 10/20/2021 6:47 PM, Philipp Berger wrote:
>>> Dear all,
>>>
>>> I am trying to access SSH in a Docker container via a port forwarding
>>> from Docker, which works via IPv6 but not IPv4 (!).
>>>
>>> Setup:
>>> enp35s0, main interface to world, IPv4 144.76.173.241
>>> docker0, docker bridge interface, Container IP is 172.17.0.4
>>>
>>> Docker file has " --publish 9202:22" meaning bind host 0.0.0.0:9202
>>> and forward to container:22.
>>> In Shorewall, net to $FW has tcp/9202 as allowed.
>>>
>>> Observations:
>>> - Connection to 144.76.173.241:9202 does not work (Network
>>> unreachable), IPv6 connection does work (SSH connection established).
>>> - Connection from the Docker Container to 144.76.173.241:9202 works
>>> (via IPv4, as Docker is IPv4-only!), SSH connection works.
>>>
>>> Also:
>>> # cat /etc/shorewall/shorewall.conf | grep DOCKER
>>> DOCKER=Yes
>>
>> This facility will be dropped eventually.
>>
>>> # cat /proc/sys/net/ipv4/ip_forward
>>> 1
>>>
>>
>> After Shorewall is started?
> Yes
>>
>>> /sbin/shorewall dump: attached!
>>>
>>> Connection tried from 109.91.174.146 to 144.76.173.241:9202.
>>>
>>>
>>> I assume some kind of masquerading is missing, but I am way out of my
>>> depth here. Any ideas?
>>> At some point I also tried removing the publish command from Docker
>>> and used "DNAT net docker:172.17.0.4:22 tcp 9202", which also did not
>>> work.
>>>
>>
>> Try substituting '22' by '9202'.
>>
> Why? The container is listening on :22, only the host is supposed to
> listen on 9202, see " --publish 9202:22". Also, :22 on the host system
> is taken. Or is this a change/fix that I do not understand?
>
With your current set up, you let docker DNAT the port 9202 to 22.
So from your public IP you would need to DNAT port 9202 to 9202 and then
let dockert DNAT 9202 to 22.
I would suggest to disable the docker firewall and to soley use Shorewall.
--
Matt Darfeuille <m...@shorewall.org>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> On 24.10.2021 18:36, Matt Darfeuille wrote:
>> On 10/20/2021 6:47 PM, Philipp Berger wrote:
>>> Dear all,
>>>
>>> I am trying to access SSH in a Docker container via a port forwarding
>>> from Docker, which works via IPv6 but not IPv4 (!).
>>>
>>> Setup:
>>> enp35s0, main interface to world, IPv4 144.76.173.241
>>> docker0, docker bridge interface, Container IP is 172.17.0.4
>>>
>>> Docker file has " --publish 9202:22" meaning bind host 0.0.0.0:9202
>>> and forward to container:22.
>>> In Shorewall, net to $FW has tcp/9202 as allowed.
>>>
>>> Observations:
>>> - Connection to 144.76.173.241:9202 does not work (Network
>>> unreachable), IPv6 connection does work (SSH connection established).
>>> - Connection from the Docker Container to 144.76.173.241:9202 works
>>> (via IPv4, as Docker is IPv4-only!), SSH connection works.
>>>
>>> Also:
>>> # cat /etc/shorewall/shorewall.conf | grep DOCKER
>>> DOCKER=Yes
>>
>> This facility will be dropped eventually.
>>
>>> # cat /proc/sys/net/ipv4/ip_forward
>>> 1
>>>
>>
>> After Shorewall is started?
> Yes
>>
>>> /sbin/shorewall dump: attached!
>>>
>>> Connection tried from 109.91.174.146 to 144.76.173.241:9202.
>>>
>>>
>>> I assume some kind of masquerading is missing, but I am way out of my
>>> depth here. Any ideas?
>>> At some point I also tried removing the publish command from Docker
>>> and used "DNAT net docker:172.17.0.4:22 tcp 9202", which also did not
>>> work.
>>>
>>
>> Try substituting '22' by '9202'.
>>
> Why? The container is listening on :22, only the host is supposed to
> listen on 9202, see " --publish 9202:22". Also, :22 on the host system
> is taken. Or is this a change/fix that I do not understand?
>
With your current set up, you let docker DNAT the port 9202 to 22.
So from your public IP you would need to DNAT port 9202 to 9202 and then
let dockert DNAT 9202 to 22.
I would suggest to disable the docker firewall and to soley use Shorewall.
--
Matt Darfeuille <m...@shorewall.org>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
