I am working on a fresh server installation of Ubuntu 20.04
I started a sample nginx by running docker run --rm -p 80:80 nginx
Port 80 appears to be open on the machine, I cant curl
the nginx default page though:
$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-15 13:06 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000077s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:25:90:d7:xx:xx brd ff:ff:ff:ff:ff:ff
inet 81.169.xxx.xxx/32 scope global dynamic eno1
valid_lft 60728sec preferred_lft 60728sec
inet6 fe80::225:90ff:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:25:90:d7:xx:xx brd ff:ff:ff:ff:ff:ff
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:70:d9:xx:xx brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:70ff:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
48: br-49042740d2e8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:63:fe:xx:xx brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:63ff:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
68: veth17ce2e9@if67: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether d6:e2:53:0b:xx:xx brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::d4e2:53ff:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
# Generated by iptables-save v1.8.4 on Sun Nov 15 13:00:57 2020
*filter
:INPUT ACCEPT (151:14142)
:FORWARD DROP (15:780)
:OUTPUT ACCEPT (123:16348)
:DOCKER - (0:0)
:DOCKER-ISOLATION-STAGE-1 - (0:0)
:DOCKER-ISOLATION-STAGE-2 - (0:0)
:DOCKER-USER - (0:0)
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-49042740d2e8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-49042740d2e8 -j DOCKER
-A FORWARD -i br-49042740d2e8 ! -o br-49042740d2e8 -j ACCEPT
-A FORWARD -i br-49042740d2e8 -o br-49042740d2e8 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-49042740d2e8 ! -o br-49042740d2e8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-49042740d2e8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Nov 15 13:00:57 2020
# Generated by iptables-save v1.8.4 on Sun Nov 15 13:00:57 2020
*nat
:PREROUTING ACCEPT (20:1254)
:INPUT ACCEPT (20:1254)
:OUTPUT ACCEPT (0:0)
:POSTROUTING ACCEPT (0:0)
:DOCKER - (0:0)
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.19.0.0/16 ! -o br-49042740d2e8 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-49042740d2e8 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
COMMIT
# Completed on Sun Nov 15 13:00:57 2020
From my local machine, I am unable to connect to the server. Ports are being shown as filtered
:
$ nmap example.de -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-15 14:12 CET
Nmap scan report for example.de (81.169.xxx.xxx)
Host is up (0.037s latency).
rDNS record for 81.169.xxx.xxx: h290xxxx.stratoserver.net
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9876/tcp filtered sd
Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds
Running the container in network mode host
works as expected and I can access the nginx default page via localhost and on my local machine.
docker run --rm --network host nginx
Why is the exposing of the ports not working as expected?
How can I fix this / analyze the problem further?