DEVHIDE
Login Or Sign up

How to forward a port to docker using iptables?

79 Views Asked by At

There are 2 networks created from separate docker-compose.yml for release and beta and 2 containers created from separate docker-compose.yml for release and beta.

It is required to create port forwarding according to the scheme

93.184.216.34:18080 --> 172.18.0.1:8080
93.184.216.34:28080 --> 172.19.0.1:8080

That is, if you access port 18080 from the Internet, then the request should go to 172.18.0.1:8080, and if you access port 28080 from the Internet, then the request should go to 172.19.0.1:8080.

# ifconfig eno1 | grep 'inet '
        inet 93.184.216.34  netmask 255.255.255.255  broadcast 0.0.0.0

# grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Ubuntu 20.04.3 LTS"

# cat /proc/sys/net/ipv4/ip_forward
1

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 172.18.0.1:8080         0.0.0.0:*               LISTEN      568909/docker-proxy
tcp        0      0 172.19.0.1:8080         0.0.0.0:*               LISTEN      568103/docker-proxy
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      578649/nginx: worke
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      792/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1761403/sshd: /usr/
tcp        0      0 172.18.0.1:8443         0.0.0.0:*               LISTEN      568897/docker-proxy
tcp        0      0 172.19.0.1:8443         0.0.0.0:*               LISTEN      568088/docker-proxy
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      578649/nginx: worke
tcp6       0      0 :::80                   :::*                    LISTEN      578649/nginx: worke
tcp6       0      0 :::22                   :::*                    LISTEN      1761403/sshd: /usr/
tcp6       0      0 :::443                  :::*                    LISTEN      578649/nginx: worke
udp        0      0 127.0.0.53:53           0.0.0.0:*                           792/systemd-resolve

# docker network ls
NETWORK ID     NAME           DRIVER    SCOPE
f8f71d4719da   bridge         bridge    local
1d9b04ce164f   host           host      local
6465a20b68ad   test_beta      bridge    local
61b7d37d0154   test_release   bridge    local
0de755f43eda   none           null      local

# docker ps
CONTAINER ID   IMAGE                   COMMAND                  CREATED      STATUS        PORTS                                                                        NAMES
4141cfd1ee7a   test_release_dashboard:v14   "/usr/bin/supervisord"   6 days ago   Up 5 days     5021/tcp, 5025-5026/tcp, 172.19.0.1:8080->80/tcp, 172.19.0.1:8443->443/tcp   test_beta_dashboard
1caffee38f89   test_release_dashboard:v14   "/usr/bin/supervisord"   6 days ago   Up 6 days     5021/tcp, 5025-5026/tcp, 172.18.0.1:8080->80/tcp, 172.18.0.1:8443->443/tcp   test_release_dashboard

docker-compose.yml

version: '2'

name: test_release_network

services:
  test_release_network:
    image: hello-world
    container_name: test_release_network
    hostname: test_release_network
    networks:
      test_release:
        ipv4_address: 172.18.0.255

networks:
  test_release:
    name: test_release
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.18.0.0/16
          gateway: 172.18.0.1
    driver_opts:
      com.docker.network.bridge.host_binding_ipv4: "172.18.0.1"
      com.docker.network.bridge.enable_icc: "true"
      com.docker.network.enable_ipv6: "false"
      com.docker.network.bridge.name: "test_release"

docker-compose.yml

version: '2'

name: test_beta_network

services:
  test_beta_network:
    image: hello-world
    container_name: test_beta_network
    hostname: test_beta_network
    networks:
      test_beta:
        ipv4_address: 172.19.0.255

networks:
  test_beta:
    name: test_beta
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.19.0.0/16
          gateway: 172.19.0.1
    driver_opts:
      com.docker.network.bridge.host_binding_ipv4: "172.19.0.1"
      com.docker.network.bridge.enable_icc: "true"
      com.docker.network.enable_ipv6: "false"
      com.docker.network.bridge.name: "test_beta"

docker-compose.yml

version: '3.1'

name: test_release_dashboard

services:
  test_release_dashboard:
    image: test_release_dashboard:v14
    container_name: test_release_dashboard
    hostname: test_release_dashboard
    restart: unless-stopped

    expose:
      - "5021"
      - "5026"
      - "5025"

    ports:
      - "8080:80"
      - "8443:443"

    networks:
      test_release:
        ipv4_address: 172.18.0.3

networks:
  test_release:
    external: true

docker-compose.yml

version: '3.1'

name: test_beta_dashboard

services:
  test_beta_dashboard:
    image: test_release_dashboard:v14
    container_name: test_beta_dashboard
    hostname: test_beta_dashboard
    restart: unless-stopped

    expose:
      - "5021"
      - "5026"
      - "5025"

    ports:
      - "8080:80"
      - "8443:443"

    networks:
      test_beta:
        ipv4_address: 172.19.0.3

networks:
  test_beta:
    external: true

iptables-save out

# Generated by iptables-save v1.8.4 on Sun Dec  3 14:04:24 2023
*nat
:PREROUTING ACCEPT [1684:94175]
:INPUT ACCEPT [1432:80961]
:OUTPUT ACCEPT [541:33449]
:POSTROUTING ACCEPT [583:35969]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.19.0.0/16 ! -o test_beta -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o test_release -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.19.0.3/32 -d 172.19.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.19.0.3/32 -d 172.19.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i test_beta -j RETURN
-A DOCKER -i test_release -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -d 172.18.0.1/32 ! -i test_release -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.18.0.3:443
-A DOCKER -d 172.18.0.1/32 ! -i test_release -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.3:80
-A DOCKER -d 172.19.0.1/32 ! -i test_beta -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.19.0.3:443
-A DOCKER -d 172.19.0.1/32 ! -i test_beta -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.19.0.3:80
COMMIT
# Completed on Sun Dec  3 14:04:24 2023
# Generated by iptables-save v1.8.4 on Sun Dec  3 14:04:24 2023
*filter
:INPUT DROP [219:11154]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [529961:1681938765]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o test_beta -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o test_beta -j DOCKER
-A FORWARD -i test_beta ! -o test_beta -j ACCEPT
-A FORWARD -i test_beta -o test_beta -j ACCEPT
-A FORWARD -o test_release -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o test_release -j DOCKER
-A FORWARD -i test_release ! -o test_release -j ACCEPT
-A FORWARD -i test_release -o test_release -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i test_release -o test_release -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i test_release -o test_release -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i test_beta -o test_beta -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i test_beta -o test_beta -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i test_beta ! -o test_beta -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i test_release ! -o test_release -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o test_beta -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o test_release -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i test_release -j RETURN
-A DOCKER-USER -o test_release -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i test_beta -j RETURN
-A DOCKER-USER -o test_beta -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eno1 -o test_release -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -i eno1 -o test_beta -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -i eno1 -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -d 172.16.0.0/12 -i eno1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec  3 14:04:24 2023

I tried these commands (doesn't work)

iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --dport 18080 -j ACCEPT
iptables -A INPUT -p tcp --dport 28080 -j ACCEPT
iptables -t nat -A PREROUTING -i eno1 -p tcp -m tcp --dport 18080 -j DNAT --to-destination 172.18.0.1:8080
iptables -t nat -A PREROUTING -i eno1 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.19.0.1:8080
iptables -t nat -A POSTROUTING -s 172.16.0.0/12 -o eno1 -j MASQUERADE

I tried also (doesn't work)

iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --dport 18080 -j ACCEPT
iptables -A INPUT -p tcp --dport 28080 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 18080 -j DNAT --to-destination 172.18.0.1:8080
iptables -t nat -A POSTROUTING -p tcp -d 172.18.0.1 --dport 8080 -j SNAT --to-source 93.184.216.34
iptables -t nat -A PREROUTING -p tcp --dport 28080 -j DNAT --to-destination 172.19.0.1:8080
iptables -t nat -A POSTROUTING -p tcp -d 172.19.0.1 --dport 8080 -j SNAT --to-source 93.184.216.34
docker iptables portforwarding
Original Q&A
0

There are 0 best solutions below

Related Questions in DOCKER

Related Questions in IPTABLES

Related Questions in PORTFORWARDING

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.