Menu
For me this is a very standard setup, I had a ubuntu machine running docker and ufw as my firewall.
If my firewall is enable the docker instances is unable to connect to outside
$ docker run -i -t ubuntu /bin/bash
WARNING: Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.
Here is the ufw log showing the blocked connections from the docker container.
$ sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44
I had try adding a rule using the ip.
$ sudo ufw allow in from 172.16.42.2
$ sudo ufw allow out from 172.16.42.2
And have no change is still blocked.
How can I esily allow all connections from the container to outside with a ufw rule?
914
Your Docker container can connect to the outside world, but the outside world cannot connect to the container. To make the ports accessible for external use or with other containers not on the same network, you will have to use the -P (publish all available ports) or -p (publish specific ports) flag.
If you run container with -p 80:8080, you'll be able to access in-container web server running on port 8080 from outside world, querying port 80 on docker host. You received this message because you are subscribed to the Google Groups "docker-dev" group.
This fixed it for me:
ufw allow in on docker0
Edit /etc/ufw/before.rules as follows:
In the *filter section, after the first block of required lines, add:
# docker rules to enable external network access from the container
# forward traffic accross the bridge
-A ufw-before-forward -i docker0 -j ACCEPT
-A ufw-before-forward -i testbr0 -j ACCEPT
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
At the end of the file, after the line that says COMMIT, add the following section:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.42.0/8 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
After saving the file, restart ufw with sudo ufw disable && sudo ufw enable
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
