Can't access the exposed port from LAN in bridge mode. #2142

Eucliddd · 2023-03-27T14:09:00Z

Eucliddd
Mar 27, 2023

Description

I am using nerdctl compose up -d to bulid a container in bridge mode.
In my docker-compose.yaml, i have added the following mapping rules:

version: '3.9'
services:
  utorrent:
    image: ekho/utorrent:latest
    volumes:
      - utorrent-settings:/utorrent/settings
      - /home/Data/data:/data
      - /home/Data/abs:/abs-path-dir
    environment:
      UID: 1000
      GID: 1000
      webui: ng
      dir_autoload_delete: true
      dir_download: subdir1,/abs-path-dir
    network_mode: bridge
    ports:
      - "9080:8080"
      - "7881:6881"
      - "7881:6881/udp"
    restart: always
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

volumes:
  utorrent-settings:

After building and starting the container, i tried to access the webui from LAN, but can't get through. However, it is OK when i tried to access in the localhost.

Steps to reproduce the issue

create a docker-compose.yaml with the above configs.
nerdctl compose up -d.
try to access the webui with "http://ip:port" from LAN.
try to access with "http://localhost:port" in local.

Describe the results you received and expected

I want to access the exposed port of my containers from LAN in bridge mode.

What version of nerdctl are you using?

WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
Version: 1.2.1
OS/Arch: linux/amd64
Git commit:
buildctl:
Version:

Server:
containerd:
Version: 1.4.13~ds1
GitCommit: 1.4.13~ds1-1~deb11u3
runc:
Version: 1.0.0~rc93+ds1
GitCommit: 1.0.0~rc93+ds1-5+deb11u2

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client:
Namespace: default
Debug Mode: false

Server:
Server Version: 1.4.13~ds1
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Log: fluentd journald json-file syslog
Storage: native overlayfs
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.10.0-20-amd64
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.669GiB
Name: yongxisui
ID: 48bd4f03-1111-4d87-a7f0-192411df39c5

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Answered by Zheaoli

Mar 29, 2023

Seems you have Docker on your machine. I think there would be rule conflict here

DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

View full answer

Zheaoli · 2023-03-27T16:41:30Z

Zheaoli
Mar 27, 2023
Maintainer

Would you mind providing the following Content:

Are you using the nerdctl in the native Linux or the lima on MacOS?
Would you mind checkout the result that runs "curl -v http://ip:port/" on your local machine and putting the result here?
If you run the server on the cloud-vendor, please make sure that you have set the right security rule in your security group

0 replies

Eucliddd · 2023-03-28T10:32:31Z

Eucliddd
Mar 28, 2023
Author

Would you mind providing the following Content:

Are you using the nerdctl in the native Linux or the lima on MacOS?

Would you mind checkout the result that runs "curl -v http://ip:port/" on your local machine and putting the result here?

If you run the server on the cloud-vendor, please make sure that you have set the right security rule in your security group

native Linux

*   Trying xxx.xxx.xxx.xxx:9080...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 9080 (#0)
> GET /gui/ HTTP/1.1
> Host: xxx.xxx.xxx.xxx:9080
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Connection: close
< Content-Length: 0
< Content-Type: text/html
< WWW-Authenticate: Basic realm="uTorrent"
< Cache-Control: no-cache
< 
* Closing connection 0

No, the server is running on my pc.

0 replies

Eucliddd · 2023-03-28T10:34:11Z

Eucliddd
Mar 28, 2023
Author

Would you mind providing the following Content:

Are you using the nerdctl in the native Linux or the lima on MacOS?

Would you mind checkout the result that runs "curl -v http://ip:port/" on your local machine and putting the result here?

If you run the server on the cloud-vendor, please make sure that you have set the right security rule in your security group

native Linux
*   Trying xxx.xxx.xxx.xxx:9080...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 9080 (#0)
> GET /gui/ HTTP/1.1
> Host: xxx.xxx.xxx.xxx:9080
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Connection: close
< Content-Length: 0
< Content-Type: text/html
< WWW-Authenticate: Basic realm="uTorrent"
< Cache-Control: no-cache
< 
* Closing connection 0
No, the server is running on my pc.

Additionally, i can access the containers with host mode from LAN.

0 replies

fahedouch · 2023-03-28T11:11:28Z

fahedouch
Mar 28, 2023
Maintainer

some extra steps that my help you :

Firewall settings: Make sure that the firewall rule is not blocking traffic to the exposed port. If you're using iptables on your server, you can check the rules using the iptables -L command.
Check your network configuration to make sure that your server is connected to the same LAN as the device you're trying to connect from. If your server is connected to a different network, you may not be able to access it.
Double-check that you're using the correct IP address and port number to connect to the service. If you're trying to connect to the service from another device on the same LAN, you should use the IP address of your server on the LAN, not the localhost address (127.0.0.1).

by the way are you able to connect to other service in your PC (different from containers) from the LAN ?

0 replies

Eucliddd · 2023-03-28T11:33:03Z

Eucliddd
Mar 28, 2023
Author

some extra steps that my help you :

Firewall settings: Make sure that the firewall rule is not blocking traffic to the exposed port. If you're using iptables on your server, you can check the rules using the iptables -L command.

Check your network configuration to make sure that your server is connected to the same LAN as the device you're trying to connect from. If your server is connected to a different network, you may not be able to access it.

Double-check that you're using the correct IP address and port number to connect to the service. If you're trying to connect to the service from another device on the same LAN, you should use the IP address of your server on the LAN, not the localhost address (127.0.0.1).

by the way are you able to connect to other service in your PC (different from containers) from the LAN ?

After i changed the container's network_mode to host, I can access the service from LAN using the same port. So i think the problem is with the bridge network_mode.

0 replies

fahedouch · 2023-03-28T13:53:32Z

fahedouch
Mar 28, 2023
Maintainer

when a container is using a bridge network and exposing a port to be reached from the LAN, you need to add a firewall rule to allow traffic to the container.

By default, incoming traffic from the LAN is blocked by the firewall on the host machine. When you expose a port on the container, you are allowing incoming traffic on that port to reach the container( bridge private network), but you still need to configure the firewall on the host machine to allow the traffic through.

To allow incoming traffic on the exposed port, you can add a firewall rule to the INPUT chain of the iptables firewall on the host machine. The rule should allow incoming traffic on the port that you exposed in the container.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This rule will add a new rule to the INPUT chain of the iptables firewall, allowing incoming TCP traffic on port 80. Replace "80" with the port number that you exposed in the container.

Would you also please list you host firewall rules

0 replies

fahedouch · 2023-03-28T14:00:00Z

fahedouch
Mar 28, 2023
Maintainer

Trying xxx.xxx.xxx.xxx:9080...

Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 9080 (#0)

GET /gui/ HTTP/1.1
Host: xxx.xxx.xxx.xxx:9080
User-Agent: curl/7.74.0
Accept: /

Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Connection: close
< Content-Length: 0
< Content-Type: text/html
< WWW-Authenticate: Basic realm="uTorrent"
< Cache-Control: no-cache
<

Closing connection 0

Sorry, I just check this. Looks like the socket recv() was success because you got a 401 response from the server asking you to authentificate using this realm="uTorrent" . I think here you just need a to make a new request with a valid beaer token

0 replies

Zheaoli · 2023-03-28T16:48:33Z

Zheaoli
Mar 28, 2023
Maintainer

Would you mind providing the following Content:

Are you using the nerdctl in the native Linux or the lima on MacOS?

Would you mind checkout the result that runs "curl -v http://ip:port/" on your local machine and putting the result here?

If you run the server on the cloud-vendor, please make sure that you have set the right security rule in your security group

native Linux
*   Trying xxx.xxx.xxx.xxx:9080...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 9080 (#0)
> GET /gui/ HTTP/1.1
> Host: xxx.xxx.xxx.xxx:9080
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Connection: close
< Content-Length: 0
< Content-Type: text/html
< WWW-Authenticate: Basic realm="uTorrent"
< Cache-Control: no-cache
< 
* Closing connection 0
No, the server is running on my pc.
Additionally, i can access the containers with host mode from LAN.

Thanks for the information

I may have some guess about this issue base on the information

maybe the root cause is the default bridge network's subnet may conflict with your local network
to validate this guess, maybe you can create a new network with different subnet and bind it in your compose file and try it again

0 replies

Eucliddd · 2023-03-29T09:29:54Z

Eucliddd
Mar 29, 2023
Author

Thanks for the information

I may have some guess about this issue base on the information

maybe the root cause is the default bridge network's subnet may conflict with your local network

to validate this guess, maybe you can create a new network with different subnet and bind it in your compose file and try it again

Thank you for your help, and i think maybe there is something wrong with my network configuration.
Here is my network configuration:

ifconfig

br-7ce369a500d0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.4.5.1  netmask 255.255.255.0  broadcast 10.4.5.255
        inet6 fe80::b83c:8dff:fecd:3719  prefixlen 64  scopeid 0x20<link>
        ether f6:f7:a9:cc:9a:4b  txqueuelen 1000  (Ethernet)
        RX packets 2394583  bytes 140209568 (133.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 146656  bytes 11225726 (10.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br-93daabeac2b4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.4.6.1  netmask 255.255.255.0  broadcast 10.4.6.255
        inet6 fe80::9857:1bff:fec1:25d5  prefixlen 64  scopeid 0x20<link>
        ether 7a:87:4c:ec:3c:43  txqueuelen 1000  (Ethernet)
        RX packets 223138  bytes 26691280 (25.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 252727  bytes 62600777 (59.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 114.212.xxx.xxx  netmask 255.255.248.0  broadcast 114.212.xxx.xxx
        inet6 fe80::56e1:adff:fef5:4291  prefixlen 64  scopeid 0x20<link>
        ether 54:e1:ad:f5:42:91  txqueuelen 1000  (Ethernet)
        RX packets 2236318534  bytes 2285112770255 (2.0 TiB)
        RX errors 0  dropped 16509  overruns 0  frame 0
        TX packets 1326974423  bytes 867532976245 (807.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

nerdctl0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.4.0.1  netmask 255.255.255.0  broadcast 10.4.0.255
        inet6 fe80::d8e5:a5ff:fe99:5d26  prefixlen 64  scopeid 0x20<link>
        ether 8e:d2:e9:89:55:a4  txqueuelen 1000  (Ethernet)
        RX packets 3573578  bytes 593810839 (566.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1134745  bytes 482611238 (460.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

nerdctl network ls

NETWORK ID      NAME                  FILE
                cbr0                  /etc/cni/net.d/10-flannel.conflist
17f29b073143    bridge                /etc/cni/net.d/nerdctl-bridge.conflist
93daabeac2b4    grafana_default       /etc/cni/net.d/nerdctl-grafana_default.conflist
7ce369a500d0    prometheus_default    /etc/cni/net.d/nerdctl-prometheus_default.conflist
                host                  
                none

nerdctl network inspect bridge --mode native

[
    {
        "CNI": {
            "cniVersion": "1.0.0",
            "name": "bridge",
            "nerdctlID": "17f29b073143d8cd97b5bbe492bdeffec1c5fee55cc1fe2112c8b9335f8b6121",
            "nerdctlLabels": {},
            "plugins": [
                {
                    "type": "bridge",
                    "bridge": "nerdctl0",
                    "isGateway": true,
                    "ipMasq": true,
                    "hairpinMode": true,
                    "ipam": {
                        "ranges": [
                            [
                                {
                                    "gateway": "10.4.0.1",
                                    "subnet": "10.4.0.0/24"
                                }
                            ]
                        ],
                        "routes": [
                            {
                                "dst": "0.0.0.0/0"
                            }
                        ],
                        "type": "host-local"
                    }
                },
                {
                    "type": "portmap",
                    "capabilities": {
                        "portMappings": true
                    }
                },
                {
                    "type": "firewall",
                    "ingressPolicy": "same-bridge"
                },
                {
                    "type": "tuning"
                }
            ]
        },
        "NerdctlID": "17f29b073143d8cd97b5bbe492bdeffec1c5fee55cc1fe2112c8b9335f8b6121",
        "NerdctlLabels": {},
        "File": "/etc/cni/net.d/nerdctl-bridge.conflist"
    }
]

After entering the container:
ifconfig

eth0      Link encap:Ethernet  HWaddr 76:51:62:35:c4:d6  
          inet addr:10.4.0.220  Bcast:10.4.0.255  Mask:255.255.255.0
          inet6 addr: fe80::7451:62ff:fe35:c4d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:182355 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:36961281 (36.9 MB)  TX bytes:1461644 (1.4 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

5.iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:6443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5555
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8787
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7070
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9090
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9080

Chain FORWARD (policy DROP)
target     prot opt source               destination         
CNI-ISOLATION-STAGE-1  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-FORWARD  all  --  anywhere             anywhere             /* CNI firewall plugin rules */
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CNI-ADMIN (1 references)
target     prot opt source               destination         

Chain CNI-FORWARD (1 references)
target     prot opt source               destination         
CNI-ADMIN  all  --  anywhere             anywhere             /* CNI firewall plugin admin overrides */
ACCEPT     all  --  anywhere             10.4.6.36            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.6.36            anywhere            
ACCEPT     all  --  anywhere             10.4.0.177           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.177           anywhere            
ACCEPT     all  --  anywhere             10.4.5.13            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.5.13            anywhere            
ACCEPT     all  --  anywhere             10.4.0.220           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.220           anywhere            
ACCEPT     all  --  anywhere             10.4.0.248           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.248           anywhere            

Chain CNI-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
RETURN     all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */

Chain CNI-ISOLATION-STAGE-2 (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
RETURN     all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Thank you for your patience.

0 replies

Eucliddd · 2023-03-29T09:33:07Z

Eucliddd
Mar 29, 2023
Author

when a container is using a bridge network and exposing a port to be reached from the LAN, you need to add a firewall rule to allow traffic to the container.

By default, incoming traffic from the LAN is blocked by the firewall on the host machine. When you expose a port on the container, you are allowing incoming traffic on that port to reach the container( bridge private network), but you still need to configure the firewall on the host machine to allow the traffic through.

To allow incoming traffic on the exposed port, you can add a firewall rule to the INPUT chain of the iptables firewall on the host machine. The rule should allow incoming traffic on the port that you exposed in the container.
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This rule will add a new rule to the INPUT chain of the iptables firewall, allowing incoming TCP traffic on port 80. Replace "80" with the port number that you exposed in the container.

Would you also please list you host firewall rules

iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:6443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5555
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8787
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7070
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9090
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9080

Chain FORWARD (policy DROP)
target     prot opt source               destination         
CNI-ISOLATION-STAGE-1  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-FORWARD  all  --  anywhere             anywhere             /* CNI firewall plugin rules */
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CNI-ADMIN (1 references)
target     prot opt source               destination         

Chain CNI-FORWARD (1 references)
target     prot opt source               destination         
CNI-ADMIN  all  --  anywhere             anywhere             /* CNI firewall plugin admin overrides */
ACCEPT     all  --  anywhere             10.4.6.36            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.6.36            anywhere            
ACCEPT     all  --  anywhere             10.4.0.177           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.177           anywhere            
ACCEPT     all  --  anywhere             10.4.5.13            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.5.13            anywhere            
ACCEPT     all  --  anywhere             10.4.0.220           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.220           anywhere            
ACCEPT     all  --  anywhere             10.4.0.248           ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.4.0.248           anywhere            

Chain CNI-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
CNI-ISOLATION-STAGE-2  all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
RETURN     all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */

Chain CNI-ISOLATION-STAGE-2 (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
DROP       all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */
RETURN     all  --  anywhere             anywhere             /* CNI firewall plugin rules (ingressPolicy: same-bridge) */

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

0 replies

Zheaoli · 2023-03-29T13:10:27Z

Zheaoli
Mar 29, 2023
Maintainer

Would you mind to run sudo iptables -L -n -t nat and put result here?

0 replies

Eucliddd · 2023-03-29T14:26:54Z

Eucliddd
Mar 29, 2023
Author

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
CNI-HOSTPORT-MASQ  all  --  0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  all  --  172.18.0.0/16        0.0.0.0/0           
CNI-a1a3b970ea04ce30791623c1  all  --  10.4.0.175           0.0.0.0/0            /* name: "bridge" id: "default-75b42901743ecabc618466d8de2d5dae720aa2d2698a9f1e48506b5787b4ecbe" */
CNI-44f68401e6e809c86f532dd0  all  --  10.4.0.176           0.0.0.0/0            /* name: "bridge" id: "default-aa9efba258745f1516bd681723c041c29470b32f53961656a1d4c4c315e48fee" */
CNI-25cc9d1fb9cca5dfa023b5b1  all  --  10.4.6.36            0.0.0.0/0            /* name: "grafana_default" id: "default-dc44cf60a6bc51fff024700569eac611f9e2d4345bc6c02719ca359447a2b83d" */
CNI-f6dc221730d77da4fcbf8bee  all  --  10.4.2.3             0.0.0.0/0            /* name: "qbit_default" id: "default-b2a772d9d1b161b98775f1156d188912dd7e6b25b07b25e427e049070d8de227" */
CNI-f6dc221730d77da4fcbf8bee  all  --  10.4.2.4             0.0.0.0/0            /* name: "qbit_default" id: "default-b2a772d9d1b161b98775f1156d188912dd7e6b25b07b25e427e049070d8de227" */
CNI-e051b4354002202cf9ffdb52  all  --  10.4.0.177           0.0.0.0/0            /* name: "bridge" id: "default-1090fb50ef07af464aca7fe0c99ffc7ebb00666924f5563b6c4d225ff30e183d" */
CNI-5618f94c5ce1b0733977592c  all  --  10.4.5.13            0.0.0.0/0            /* name: "prometheus_default" id: "default-86d9632cceb1864e1c1ccb01ec98514a370ef33a0ef0dbd019b65fc7f1061b48" */
CNI-f6dc221730d77da4fcbf8bee  all  --  10.4.2.5             0.0.0.0/0            /* name: "qbit_default" id: "default-b2a772d9d1b161b98775f1156d188912dd7e6b25b07b25e427e049070d8de227" */
CNI-b3f19f60df276d40982d25d1  all  --  10.4.0.178           0.0.0.0/0            /* name: "bridge" id: "default-c05943d4f3088bce0bcb8f0af55ba050573ec23e9381348f322b9bed01bc3537" */
CNI-11f221c81fd1454e05ef066c  all  --  10.4.0.179           0.0.0.0/0            /* name: "bridge" id: "default-cd2ebd739f959754108fff033b0068a696ea6aa7dccb4d11b54926f6fbd152ef" */
CNI-cabbcdf2359934d8654c9443  all  --  10.4.4.2             0.0.0.0/0            /* name: "utorrent_default" id: "default-0e06555195caab62bafd28dba973433670005b871486619df08d902b44e29f7f" */
CNI-3e2786167eb469e112186ebc  all  --  10.4.0.218           0.0.0.0/0            /* name: "bridge" id: "default-3d045b79d5a6a71d48baec99ab3a5989f69c7804591b47c477956a8e0f12c744" */
CNI-d2170d7c041eaf9aafda1faa  all  --  10.4.0.219           0.0.0.0/0            /* name: "bridge" id: "default-f8393a3f6d51ea62224015f459736b8de8bd827533a25799da7258a12032d238" */
CNI-e75ab7614e7b86cfb175ebc9  all  --  10.4.0.220           0.0.0.0/0            /* name: "bridge" id: "default-145757de9518f035b8f9adbec57ac0daa85610750d4bb3558dbac1355b6147e7" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.221           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.222           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.223           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.224           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.225           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.226           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.227           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.228           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.229           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.230           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.231           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.232           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.233           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.234           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.235           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.236           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.237           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.238           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.239           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.240           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.241           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.242           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.243           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.244           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.245           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.246           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-e4eacdf53789f7f4a4a8008a  all  --  10.4.0.247           0.0.0.0/0            /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
CNI-cde09b3b5a187c320e2b7701  all  --  10.4.0.248           0.0.0.0/0            /* name: "bridge" id: "default-cb694477e17817d77ada0e66547582fc827e6d3b3bcf9ef2755aa004695e3662" */

Chain CNI-11f221c81fd1454e05ef066c (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-cd2ebd739f959754108fff033b0068a696ea6aa7dccb4d11b54926f6fbd152ef" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-cd2ebd739f959754108fff033b0068a696ea6aa7dccb4d11b54926f6fbd152ef" */

Chain CNI-25cc9d1fb9cca5dfa023b5b1 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.6.0/24          /* name: "grafana_default" id: "default-dc44cf60a6bc51fff024700569eac611f9e2d4345bc6c02719ca359447a2b83d" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "grafana_default" id: "default-dc44cf60a6bc51fff024700569eac611f9e2d4345bc6c02719ca359447a2b83d" */

Chain CNI-3e2786167eb469e112186ebc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-3d045b79d5a6a71d48baec99ab3a5989f69c7804591b47c477956a8e0f12c744" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-3d045b79d5a6a71d48baec99ab3a5989f69c7804591b47c477956a8e0f12c744" */

Chain CNI-44f68401e6e809c86f532dd0 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-aa9efba258745f1516bd681723c041c29470b32f53961656a1d4c4c315e48fee" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-aa9efba258745f1516bd681723c041c29470b32f53961656a1d4c4c315e48fee" */

Chain CNI-5618f94c5ce1b0733977592c (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.5.0/24          /* name: "prometheus_default" id: "default-86d9632cceb1864e1c1ccb01ec98514a370ef33a0ef0dbd019b65fc7f1061b48" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "prometheus_default" id: "default-86d9632cceb1864e1c1ccb01ec98514a370ef33a0ef0dbd019b65fc7f1061b48" */

Chain CNI-DN-25cc9d1fb9cca5dfa023b (1 references)
target     prot opt source               destination         
CNI-HOSTPORT-SETMARK  tcp  --  10.4.6.0/24          0.0.0.0/0            tcp dpt:5555
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:5555
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5555 to:10.4.6.36:3000

Chain CNI-DN-5618f94c5ce1b07339775 (1 references)
target     prot opt source               destination         
CNI-HOSTPORT-SETMARK  tcp  --  10.4.5.0/24          0.0.0.0/0            tcp dpt:7070
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:7070
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7070 to:10.4.5.13:9090

Chain CNI-DN-cde09b3b5a187c320e2b7 (1 references)
target     prot opt source               destination         
CNI-HOSTPORT-SETMARK  tcp  --  10.4.0.0/24          0.0.0.0/0            tcp dpt:8787
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:8787
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8787 to:10.4.0.248:8787

Chain CNI-DN-e051b4354002202cf9ffd (1 references)
target     prot opt source               destination         
CNI-HOSTPORT-SETMARK  tcp  --  10.4.0.0/24          0.0.0.0/0            tcp dpt:9090
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:9090
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090 to:10.4.0.177:8080

Chain CNI-DN-e75ab7614e7b86cfb175e (2 references)
target     prot opt source               destination         
CNI-HOSTPORT-SETMARK  tcp  --  10.4.0.0/24          0.0.0.0/0            tcp dpt:9080
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:9080
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9080 to:10.4.0.220:8080
CNI-HOSTPORT-SETMARK  tcp  --  10.4.0.0/24          0.0.0.0/0            tcp dpt:7881
CNI-HOSTPORT-SETMARK  tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:7881
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:7881 to:10.4.0.220:6881
CNI-HOSTPORT-SETMARK  udp  --  10.4.0.0/24          0.0.0.0/0            udp dpt:7881
CNI-HOSTPORT-SETMARK  udp  --  127.0.0.1            0.0.0.0/0            udp dpt:7881
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:7881 to:10.4.0.220:6881

Chain CNI-HOSTPORT-DNAT (2 references)
target     prot opt source               destination         
CNI-DN-25cc9d1fb9cca5dfa023b  tcp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "grafana_default" id: "default-dc44cf60a6bc51fff024700569eac611f9e2d4345bc6c02719ca359447a2b83d" */ multiport dports 5555
CNI-DN-e051b4354002202cf9ffd  tcp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "bridge" id: "default-1090fb50ef07af464aca7fe0c99ffc7ebb00666924f5563b6c4d225ff30e183d" */ multiport dports 9090
CNI-DN-5618f94c5ce1b07339775  tcp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "prometheus_default" id: "default-86d9632cceb1864e1c1ccb01ec98514a370ef33a0ef0dbd019b65fc7f1061b48" */ multiport dports 7070
CNI-DN-e75ab7614e7b86cfb175e  tcp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "bridge" id: "default-145757de9518f035b8f9adbec57ac0daa85610750d4bb3558dbac1355b6147e7" */ multiport dports 9080,7881
CNI-DN-e75ab7614e7b86cfb175e  udp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "bridge" id: "default-145757de9518f035b8f9adbec57ac0daa85610750d4bb3558dbac1355b6147e7" */ multiport dports 7881
CNI-DN-cde09b3b5a187c320e2b7  tcp  --  0.0.0.0/0            0.0.0.0/0            /* dnat name: "bridge" id: "default-cb694477e17817d77ada0e66547582fc827e6d3b3bcf9ef2755aa004695e3662" */ multiport dports 8787

Chain CNI-HOSTPORT-MASQ (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x2000/0x2000

Chain CNI-HOSTPORT-SETMARK (14 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            /* CNI portfwd masquerade mark */ MARK or 0x2000

Chain CNI-a1a3b970ea04ce30791623c1 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-75b42901743ecabc618466d8de2d5dae720aa2d2698a9f1e48506b5787b4ecbe" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-75b42901743ecabc618466d8de2d5dae720aa2d2698a9f1e48506b5787b4ecbe" */

Chain CNI-b3f19f60df276d40982d25d1 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-c05943d4f3088bce0bcb8f0af55ba050573ec23e9381348f322b9bed01bc3537" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-c05943d4f3088bce0bcb8f0af55ba050573ec23e9381348f322b9bed01bc3537" */

Chain CNI-cabbcdf2359934d8654c9443 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.4.0/24          /* name: "utorrent_default" id: "default-0e06555195caab62bafd28dba973433670005b871486619df08d902b44e29f7f" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "utorrent_default" id: "default-0e06555195caab62bafd28dba973433670005b871486619df08d902b44e29f7f" */

Chain CNI-cde09b3b5a187c320e2b7701 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-cb694477e17817d77ada0e66547582fc827e6d3b3bcf9ef2755aa004695e3662" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-cb694477e17817d77ada0e66547582fc827e6d3b3bcf9ef2755aa004695e3662" */

Chain CNI-d2170d7c041eaf9aafda1faa (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-f8393a3f6d51ea62224015f459736b8de8bd827533a25799da7258a12032d238" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-f8393a3f6d51ea62224015f459736b8de8bd827533a25799da7258a12032d238" */

Chain CNI-e051b4354002202cf9ffdb52 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-1090fb50ef07af464aca7fe0c99ffc7ebb00666924f5563b6c4d225ff30e183d" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-1090fb50ef07af464aca7fe0c99ffc7ebb00666924f5563b6c4d225ff30e183d" */

Chain CNI-e4eacdf53789f7f4a4a8008a (27 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-b3b924ccb081cc892f2cf0a45d1c7de0752e59d9ebf70a6386d543c1fdcf9cad" */

Chain CNI-e75ab7614e7b86cfb175ebc9 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.0.0/24          /* name: "bridge" id: "default-145757de9518f035b8f9adbec57ac0daa85610750d4bb3558dbac1355b6147e7" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "bridge" id: "default-145757de9518f035b8f9adbec57ac0daa85610750d4bb3558dbac1355b6147e7" */

Chain CNI-f6dc221730d77da4fcbf8bee (3 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.4.2.0/24          /* name: "qbit_default" id: "default-b2a772d9d1b161b98775f1156d188912dd7e6b25b07b25e427e049070d8de227" */
MASQUERADE  all  --  0.0.0.0/0           !224.0.0.0/4          /* name: "qbit_default" id: "default-b2a772d9d1b161b98775f1156d188912dd7e6b25b07b25e427e049070d8de227" */

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

0 replies

Zheaoli · 2023-03-29T14:36:05Z

Zheaoli
Mar 29, 2023
Maintainer

Seems you have Docker on your machine. I think there would be rule conflict here

DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

2 replies

AkihiroSuda Mar 31, 2023
Maintainer

Using rootless mode seems to work as a workaround.

AkihiroSuda Mar 31, 2023
Maintainer

Wondering if this is a recent regression of CNI or Docker?
I think it was previously working.

kubefay · 2023-03-30T00:00:38Z

kubefay
Mar 30, 2023

We find the same problem when nerdctl installed in a host with docker

0 replies

Zheaoli · 2023-03-30T15:00:15Z

Zheaoli
Mar 30, 2023
Maintainer

I think the root cause has been figured out. I will close the issue first. Feel free to reopen it if you have any problems

0 replies

tboevil · 2023-06-21T09:03:14Z

tboevil
Jun 21, 2023

The reason is that docker will modify the default strategy of FORWARD： Chain FORWARD (policy DROP)

https://docs.docker.com/network/packet-filtering-firewalls/#docker-on-a-router

1 reply

tboevil Jun 21, 2023

iptables -I DOCKER-USER -j ACCEPT work for me，But it will cause the firewall plugin to fail forever，if you need firewall plugin，you need to ensure the order of CNI-FORWARD and DOCKER-USER inside FORWARD Chain

Can't access the exposed port from LAN in bridge mode. #2142

Uh oh!

Uh oh!

Eucliddd Mar 27, 2023

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of nerdctl are you using?

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Host information

Replies: 16 comments · 3 replies

Uh oh!

Zheaoli Mar 27, 2023 Maintainer

Uh oh!

Eucliddd Mar 28, 2023 Author

Uh oh!

Eucliddd Mar 28, 2023 Author

Uh oh!

fahedouch Mar 28, 2023 Maintainer

Uh oh!

Eucliddd Mar 28, 2023 Author

Uh oh!

Uh oh!

fahedouch Mar 28, 2023 Maintainer

Uh oh!

Uh oh!

fahedouch Mar 28, 2023 Maintainer

Uh oh!

Zheaoli Mar 28, 2023 Maintainer

Uh oh!

Eucliddd Mar 29, 2023 Author

Uh oh!

Eucliddd Mar 29, 2023 Author

Uh oh!

Zheaoli Mar 29, 2023 Maintainer

Uh oh!

Eucliddd Mar 29, 2023 Author

Uh oh!

Zheaoli Mar 29, 2023 Maintainer

Uh oh!

AkihiroSuda Mar 31, 2023 Maintainer

Uh oh!

AkihiroSuda Mar 31, 2023 Maintainer

Uh oh!

kubefay Mar 30, 2023

Uh oh!

Zheaoli Mar 30, 2023 Maintainer

Uh oh!

tboevil Jun 21, 2023

Uh oh!

Uh oh!

tboevil Jun 21, 2023

Eucliddd
Mar 27, 2023

Replies: 16 comments 3 replies

Zheaoli
Mar 27, 2023
Maintainer

Eucliddd
Mar 28, 2023
Author

Eucliddd
Mar 28, 2023
Author

fahedouch
Mar 28, 2023
Maintainer

Eucliddd
Mar 28, 2023
Author

fahedouch
Mar 28, 2023
Maintainer

fahedouch
Mar 28, 2023
Maintainer

Zheaoli
Mar 28, 2023
Maintainer

Eucliddd
Mar 29, 2023
Author

Eucliddd
Mar 29, 2023
Author

Zheaoli
Mar 29, 2023
Maintainer

Eucliddd
Mar 29, 2023
Author

Zheaoli
Mar 29, 2023
Maintainer

AkihiroSuda Mar 31, 2023
Maintainer

AkihiroSuda Mar 31, 2023
Maintainer

kubefay
Mar 30, 2023

Zheaoli
Mar 30, 2023
Maintainer

tboevil
Jun 21, 2023