Timeout when access other docker services within a docker container

Question

I have 2 docker containers running on my host, web1 and web2. Container web1 maps port 8080 to the host port 18080, and web2 maps port 8080 to the host port 28080. The IP address of the host is 192.168.20.111 (yes it's LAN). I can access 192.168.20.111:18080 and 192.168.20.111:28080 from other machines in the same LAN.

When I tried to access 192.168.20.111:18080 (curl 192.168.20.111:18080) or 192.168.20.111:28080 from within web1/web2 container, I got a timeout error.

However, the Apache server running on port 8080 of the host can be accessed by 192.168.20.111:8080 from within web1/web2 container, which means the route from container to host is clear.

So my question is: Why the timeout error happens and how to access 192.168.20.111:18080 from docker container?

This is the docker-compose file I used to start up web2 (web1 is almost the same):

version: '2' 
services:
    web:
        build: .
        ports:
          - "28080:8080"
        expose:
          - "8080"
        environment:
          - TALENTS_AUTH_HOST=192.168.20.111
          - TALENTS_AUTH_PORT=18080
          - TALENTS_ANALYSIS_HOST=192.168.20.111
          - TALENTS_ANALYSIS_PORT=18082

And this is the output of curl:

root@ea49393e56a4:/# curl -v http://192.168.20.111:28080
* Rebuilt URL to: http://192.168.20.111:28080/
*   Trying 192.168.20.111...
* TCP_NODELAY set
* connect to 192.168.20.111 port 28080 failed: Connection timed out
* Failed to connect to 192.168.20.111 port 28080: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to 192.168.20.111 port 28080: Connection timed out
root@ea49393e56a4:/# 

This is ip route of container web2:

root@ea49393e56a4:/# ip route
default via 172.25.0.1 dev eth0 
172.25.0.0/16 dev eth0 proto kernel scope link src 172.25.0.2 
root@ea49393e56a4:/# 

This is the output of curl using gateway ip:

root@ea49393e56a4:/# curl -v http://172.25.0.1:28080
* Rebuilt URL to: http://172.25.0.1:28080/
*   Trying 172.25.0.1...
* TCP_NODELAY set
* connect to 172.25.0.1 port 28080 failed: Connection timed out
* Failed to connect to 172.25.0.1 port 28080: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to 172.25.0.1 port 28080: Connection timed out
root@ea49393e56a4:/# 

And by the way, the host machine(192.168.20.111) is a VirtualBox virtual machine running Ubuntu-16.04, and it's hosted in a windows-10 desktop, using bridge network to connect to the LAN.

Answer 1

Many thanks to @atline

Pinging the host ip from within the container is OK:

root@ea49393e56a4:/# ping 192.168.20.111
PING 192.168.20.111 (192.168.20.111) 56(84) bytes of data.
64 bytes from 192.168.20.111: icmp_seq=1 ttl=64 time=0.046 ms
64 bytes from 192.168.20.111: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 192.168.20.111: icmp_seq=3 ttl=64 time=0.036 ms
64 bytes from 192.168.20.111: icmp_seq=4 ttl=64 time=0.036 ms
64 bytes from 192.168.20.111: icmp_seq=5 ttl=64 time=0.036 ms
64 bytes from 192.168.20.111: icmp_seq=6 ttl=64 time=0.039 ms
64 bytes from 192.168.20.111: icmp_seq=7 ttl=64 time=0.038 ms
^C
--- 192.168.20.111 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6000ms
rtt min/avg/max/mdev = 0.036/0.038/0.046/0.006 ms

which means the route is clear. As suggested by @atline, I stop ufw on the host with "sudo service ufw stop", then everything is OK.

I guess the problem is that the ufw scope is set to allow LAN requests, but the container is in "172.25.0.0/16" sub-net, not the same LAN to the host (192.168.0.0/16), so the request was blocked by ufw.