Comments (27)
ecamaj
commented on July 23, 2024
Of course, when I disable csf and restart docker service, it works from both domain and 127.0.0.1.
from csf-post-docker.
commented on July 23, 2024
Hi Eddie,
I tried to query a webpage using curl http://localhost and curl http://<domain>. Both worked for me.
Could you try to remove the script csfpost.sh and see if it works.
Thanks
Julien
from csf-post-docker.
ecamaj
commented on July 23, 2024
No, when I remove csfpost.sh and I restart csf, docker is not accessible at all (both domain and localhost).
Can I give you some details from server maybe?
from csf-post-docker.
ecamaj
commented on July 23, 2024
iptables -L -n -t nat:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:5601
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:9200
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8000
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8888
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8889
MASQUERADE tcp -- 172.17.0.7 172.17.0.7 tcp dpt:80
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5601 to:172.17.0.4:5601
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200 to:172.17.0.4:9200
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.17.0.5:8000
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.17.0.5:8888
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8889 to:172.17.0.5:8889
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:172.17.0.7:80
Chain WEAVE (0 references)
target prot opt source destination
from csf-post-docker.
ecamaj
commented on July 23, 2024
I just noticed that when I restart docker service, this line in iptables is different:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
goes to:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
And first line in POSTROUTING is added:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
Smells like a clue. :)
from csf-post-docker.
commented on July 23, 2024
which version of docker do you use?
from csf-post-docker.
ecamaj
commented on July 23, 2024
Downgraded little because of docker cloud for which this is latest version ...
root@server1 [/etc/init.d]# docker version
Client:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
Server:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
from csf-post-docker.
commented on July 23, 2024
i see that you are using Weave. Maybe something with that?
from csf-post-docker.
ecamaj
commented on July 23, 2024
no, I even don't know what's that ... I think docker cloud uses that.
Anyway, from what I sent you - changes of iptables before and after - you don't think that the exact line mentioning 127.0.0.1 holds information about the problem?
Don't this means something like (not)127.0.0.0/8?
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
from csf-post-docker.
commented on July 23, 2024
i checked 2 of my servers and they both have that line. And not reporting prob.
from csf-post-docker.
ecamaj
commented on July 23, 2024
Interesting... and do you have this line in your servers?
Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
from csf-post-docker.
commented on July 23, 2024
i have the same as in your first output
Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
from csf-post-docker.
ecamaj
commented on July 23, 2024
Then I don't know.
Can I send you something that would lead you to the problem why restarting CSF kills routing to localhost:port exposed previously by Docker?
from csf-post-docker.
commented on July 23, 2024
sure
from csf-post-docker.
ecamaj
commented on July 23, 2024
:) that was a question - what to send for you to check? I'm not sure.
from csf-post-docker.
commented on July 23, 2024
:) sorry, didnt catch that.
access to the server :D
from csf-post-docker.
ecamaj
commented on July 23, 2024
:) anything else?
send some output? :)
from csf-post-docker.
commented on July 23, 2024
verbose output of iptables:
iptables -nvLiptables -nvL -t nat
output of docker: docker ps
from csf-post-docker.
ecamaj
commented on July 23, 2024
any thoughts?
thanks
from csf-post-docker.
commented on July 23, 2024
the output that you sent was with or without csfpost?
from csf-post-docker.
ecamaj
commented on July 23, 2024
Hi, did you had time to check this out? Just to remove it from the list... :)
This would make script complete.
thanks
from csf-post-docker.
commented on July 23, 2024
Hi Eddie,
Let's try teamviewer (http://www.teamviewer.com/) so I can see your terminal.
from csf-post-docker.
ecamaj
commented on July 23, 2024
Sure, http://get.teamviewer.com/v11/s03239658
from csf-post-docker.
commented on July 23, 2024
contact me by email
from csf-post-docker.
ecamaj
commented on July 23, 2024
Can't find one... I'm ready to accept connection now. :)
from csf-post-docker.
commented on July 23, 2024
do a git log on the clone of the repo
from csf-post-docker.
ecamaj
commented on July 23, 2024
Solved, I guess Julien will merge it in the script.
from csf-post-docker.
Related Issues (15)
- Why do I need this script ? HOT 14
- Issue with custom networks HOT 1
- problem with docker network HOT 2
- Problem with docker bridges (br-*)
- Can't run docker containers only local HOT 1
- traffic to docker is bypassing csf rules HOT 2
- Script is not running correctly when CSF refreshes the rules automatically, but works fine when used together with csf -r. HOT 2
- Script throws errors when docker is using IPv6
- Multiple Bridge Networks: iptables v1.8.4 (legacy): invalid port/service `-j' specified HOT 6
- How to block non-local traffic? HOT 3
- Rules priority
- script breaks vpn traffic and masquerade HOT 2
- Running script gives error HOT 18
- error with csf csf: v9.23 (generic) and docker version 1.11.2, build b9f10c9 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csf-post-docker.