Docker port mapping and external inaccessibility issues

The Docker container provides services and listens to port 8888. To make it accessible from the outside, port mapping is required.

docker run -it --rm -p 8888:8888 server:v1

A problem occurs at this point. After deployment on virtual machine A, the 8888 port service can be accessed in A, but not in B.

This should be due to the request being intercepted.

1. Check firewall-cmd --state

If the output is "not running", FirewallD is not running and all protection policies are not started. In this case, the firewall can be ruled out as blocking the connection.

If the output is "running", it means that FirewallD is currently running. You need to enter the following command to view which ports and services are currently open:

firewall-cmd --list-ports
firewall-cmd --list-services

There are two solutions:

1. Turn off the FirewallD service:

If you don't need a firewall, just turn off the FirewallD service.

systemctl stop firewalld.service

2. Add a policy to open the specified port to the outside world:

For example, if we want to open the external 5000/tcp port, we can use the following command:

firewall-cmd --add-port=5000/tcp --permanent
firewall-cmd --reload

If you only want to open the port temporarily, remove the "--permanent" parameter in the first line of the command. Then when you restart the FirewallD service again, this policy will become invalid.

2. IP forwarding is not turned on

sysctl net.ipv4.ip_forward

If net.ipv4.ip_forward=0 is displayed, it is not enabled.

3. Service iptables is turned on and blocked

You can turn off service iptables

service iptables stop

If an error occurs when running docker:

iptables: No chain/target/match by that name.

Then just restart the docker service

service docker restart

or:

#Set the iptables firewall as a startup item systemctl enable iptables.service

#Start the firewall to make the configuration file effective systemctl start iptables.service

#Stop the firewall systemctl stop iptables.service

#Restart the firewall to make the configuration file take effect systemctl restart iptables.service

Final version:

After starting docker and mapping ports, docker will add DNAT rules in iptables to convert the packets received from the corresponding port to IP and forward them. At the same time, rules will be added to convert all IPs from the docker domain.

However, on Centos7, docker can access the external network normally, but the request sent from the external network cannot be delivered to docker0 after being received and forwarded by eth1, or it is delivered but the (oui Unknown) situation appears. It is not clear why the data cannot be delivered to docker0 after DNAT.

The final solution is to restart iptables after starting docker

service iptables restart

Clear all rules added by docker, and then add rules

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

Replace the IP address of all packages 172.17.0.0/16 from Docker with the local IP address and send them to achieve the purpose of Docker accessing the external network.

This is the end of this article about docker port mapping and external inaccessibility. For more information about docker port mapping and external access, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!