1 year ago

#190710

test-img

ouzmoutous

docker ports filtered by firewalld

I'm on CentOS 7.9 and I need to get dockers to work with a firewalld configured. However, the port is always filtered when firewalld is started... Unless I tried to connect to it over localhost.

On this machine (myhost), I have a running container listening on port 55123 :

# docker ps
CONTAINER ID   IMAGE                                               COMMAND                  CREATED       STATUS       PORTS                  NAMES
6878f1d6152d   registry.example.com/my-image:22.1.1   "/entrypoint.sh"   2 weeks ago   Up 10 minutes   0.0.0.0:55123->55123/tcp   myhost_myservice

# netstat -lntp |grep docker-proxy
tcp        0      0 0.0.0.0:55123            0.0.0.0:*               LISTEN      27091/docker-proxy

I did add the port to firewalld :

# firewall-cmd --zone=public --add-port=55123/tcp --permanent
# firewall-cmd --reload

I have a zone docker and a zone public, and I added my interfaces to the public zone to be sure :

# firewall-cmd --get-active-zones
docker
  interfaces: br-e7b57dXXXXXX docker0
public
  interfaces: ens192 ens224 ens256

I tried a restart of firewalld and then docker service but still getting filtered :

# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT     STATE SERVICE
55123/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

but all good on localhost :

# nmap localhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT     STATE SERVICE
55123/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

I have enabled docker metrics on port 9323 directly on the host (myhost), and this port is well opened

# nmap myhost -Pn -p 9323
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT     STATE SERVICE
9323/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

If I stop firewalld, I immediatly get :

# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT     STATE SERVICE
55123/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

My Firewalld configuration :

# firewall-cmd --zone=docker --list-all
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-e7b57dXXXXXX docker0
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192 ens224 ens256
  sources:
  services: dhcpv6-client ssh
  ports: 9323/tcp 55123/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I'm a bit lost of why it isn't working.

There is one thing bit weird, we have a network with non-standard private network. Our network is on something like 110.2.0.0/16.

docker

docker-compose

port

firewalld

filtered

0 Answers

Your Answer

Accepted video resources

Posts

Questions

Blogs

Jobs