Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

My firewall is blocking network connections from the docker container to outside

For me this is a very standard setup, I had a ubuntu machine running docker and ufw as my firewall.

If my firewall is enable the docker instances is unable to connect to outside

$ docker run -i -t ubuntu /bin/bash
WARNING:  Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg  Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Here is the ufw log showing the blocked connections from the docker container.

$ sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44 
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44 
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44

I had try adding a rule using the ip.

$ sudo ufw allow in from 172.16.42.2
$ sudo ufw allow out from 172.16.42.2

And have no change is still blocked.

How can I esily allow all connections from the container to outside with a ufw rule?

like image 914
Mario César Avatar asked Jun 30 '13 19:06

Mario César


People also ask

Can Docker container connect to outside world?

Your Docker container can connect to the outside world, but the outside world cannot connect to the container. To make the ports accessible for external use or with other containers not on the same network, you will have to use the -P (publish all available ports) or -p (publish specific ports) flag.

How do you access a container from the outside?

If you run container with -p 80:8080, you'll be able to access in-container web server running on port 8080 from outside world, querying port 80 on docker host. You received this message because you are subscribed to the Google Groups "docker-dev" group.


2 Answers

This fixed it for me:

 ufw allow in on docker0
like image 72
Bryan Larsen Avatar answered Nov 16 '22 01:11

Bryan Larsen


Edit /etc/ufw/before.rules as follows:

In the *filter section, after the first block of required lines, add:

# docker rules to enable external network access from the container
# forward traffic accross the bridge 
-A ufw-before-forward -i docker0 -j ACCEPT
-A ufw-before-forward -i testbr0 -j ACCEPT
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

At the end of the file, after the line that says COMMIT, add the following section:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.42.0/8 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

After saving the file, restart ufw with sudo ufw disable && sudo ufw enable

like image 33
Franchu Avatar answered Nov 16 '22 02:11

Franchu