Curl from container A to B blocked

I use traefik as a reverse proxy for Docker containers.

Consider 2 containers with having subdomain A and Subdomain B of which is pointing to the proxy.

  1. Log into container of subdomain A docker exec -it containerA bash
  2. perform curl -v ---> this will not work
  3. ping from inside of containerA does resolve to correct IP of host...

Any traffic coming from the backend seems to be blocked from traefik, can't see what I'm doing wrong.

Background: trying to authorize an app using the absolute url.

Using 1.7 and an average setup.
Thanks for help!

Hi @b0r1sp, can you provide us a reproduction example to help?
Because without seeing your Docker configuration and outputs, it is hard to guess the issue (Output of docker info, any docker * commands you used, or the docker-compose.yml file, output of ping -c3 and curl -v ...).

For information, ping works at the "Address" layer (3 - IP). As it triggers DNS requests for solving domains, it shows that the DNS resolution is working in containerA. But then, you need the verify that:

  • The port 80 (I assume HTTP based on the curl command you provided) is used on the Host's netowrk interface, by Traefik, and that Tarefik has an entrypoint configured to receive traffic on this 80
  • There is no firewall blocking requests from the container to the host's IP

Also, when you say:

curl -v ---> this will not work

What do you mean by "not working"? What is the error you see?

Sorry, for not being specific enough! :grimacing:
It's a working setup with traefik as reverse proxy listening on ports 80 and 443. Containers in the backend share the same network as the proxy. Basically it is the same setup as described here:

Assume that both containers in the backends are nginx servers and I'd need to curl the domain of container B, but from inside container A.

  1. Results from inside container A (docker exec -it containerA bash)

curl -v ----> results in a timeout.

*   Trying

curl -v b (assuming 'b' is the hostname of container B) -----> success

* Rebuilt URL to: b/
* Trying
* Connected to b ( port 80 (#0)
> GET / HTTP/1.1
> Host: b
> User-Agent: curl/7.58.0
> Accept: */*
  1. Results from internet e.g. my local machine:

curl -v ------> success

* Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* ....

My problem is to understand what are the troubles in case 1a). I know this is something network related but can't get my head around it.

Hi @b0r1sp, can you share your docker-compose.yml please, without more context I cannot help, only guess on the wild...

FYI, the error of the curl in 1)a. is related to the transport level: your container is not able to establish a connexion to the IP on the port 80. My guess is that you are using Docker inside a virtual machine (Docker4Mac, docker-machine, Docker4Windows), etc., and that VM is not able to route network packets to this IP (or is not allowed by your host FW). Can you detail more your config here?

Also, assuming that Traefik is running in a container and its port 80 is published on all interfaces visible to the Docker Engine (e.g. docker run -p 80:80 ... or

  - "80:80"

in docker compose), then you might want to try the following curl command:

curl -v -H "Host:"

where is the IP of the interface docker0 that might change on your configuration. You can retrieve this IP with this command: docker run --rm -ti alpine ip route | grep default.

Thanks for help.

No, I'm on a Linode machine.

Result of curl -v -H "Host:" (from host machine)

* Rebuilt URL to:
*   Trying
* Connected to ( port 80 (#0)
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.47.0
> Accept: */*
< HTTP/1.1 302 Found
< Location:
< Date: Fri, 26 Jul 2019 16:20:41 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
* Connection #0 to host left intact

Same result for curl -v -H "Host:"

Relevant part of docker-compose file of container A or B:

version: '2'

        - traefik.b.frontend.redirect.entryPoint=https
        - traefik.b.frontend.entryPoints=http,https
        - traefik.port=80
        - traefik.enable=true
    external: true

docker-compose traefik:

version: '2'

    image: traefik:1.7-alpine
    container_name: traefik
    restart: unless-stopped
      - 80:80
      - 443:443
      - proxy
      - /var/run/docker.sock:/var/run/docker.sock
      - ./conf/traefik.toml:/traefik.toml
      - ./conf/acme.json:/acme.json

    external: true

curl -v -H "Host:" from inside container A gives still a timeout.

BTW: curl -v from inside container is working...

  • Can you give use the whole docker-compose.yml for the services a and b please? We need to know their configuration, particularly for network and DNS.
  • The fact that the container for service A can reach Internet but not the IP means that there is an iptable rule blocking "egress" communication to this network segment. Can you give us the result of (for all containers):

ip route && ip addr


For information, your issue is absolutely not related to Traefik, as you saw that it's working. This is related to the combined network of your Linode + Docker machine.

curl -v -H "Host:" from host is working.

Here you are:

version: '2'

    image: nginx:1.10
      - ''
      - ''
      - 'traefik.ngnxa.frontend.redirect.entryPoint=https'
      - 'traefik.ngnxa.frontend.entryPoints=http,https'
      - 'traefik.ngnxa.port=80'
      - 'traefik.enable=true'
      - ''
      - proxy

    image: nginx:1.10
      - ''
      - ''
      - 'traefik.ngnxb.frontend.redirect.entryPoint=https'
      - 'traefik.ngnxb.frontend.entryPoints=http,https'
      - 'traefik.ngnxb.port=80'
      - 'traefik.enable=true'
      - ''
      - proxy
    external: true

ip route and ip addr from within container:

ip route && ip addr
default via dev eth0 dev eth0  proto kernel  scope link  src 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
254: eth0@if255: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:1b:00:0a brd ff:ff:ff:ff:ff:ff
    inet scope global eth0
       valid_lft forever preferred_lft forever

Based on your configuration, there should not be any timeout, as the IP is the gateway.
So chances are great that there is a firewall rule blocking "egress" requests from the container to the docker0 interface itself.

What is the result of curl -v -H "Host:" http://traefik:80 from inside the container of a?

Yes, but this is different: this is an "ingress" traffic from the host, to the docker0 interface. Your issue here is that there is something blocking the traffic from the virtual interface of the container a, only when it reaches diretly the interfaces of your host (either , either docker0).

If you (temporarly of course :slight_smile: ) disable the firewall of this machine, does it work?

I confirm that I tested your example on:

  • Docker4Mac
  • Docker4Windows
  • Ubuntu 18.10 with Docker CE
  • Centos 7 with Docker CE

in the 4 cases, I was able to reach the IP from nginx, and when DNS resolution was correctly configured (either with /etc/hosts or with a DNS server outside the host), it was working.

So you did well on the configuration of docker-compose files :slight_smile:

Aah, ok, the fw was the right hint, I can see some light now :slight_smile:

Disabling ufw enables curl to fetch the url from within any container as desired.

Poking in iptables, seems to me that docker itself messes a lot with iptables.

# Generated by iptables-save v1.6.0 on Fri Jul 26 20:38:50 2019
:PREROUTING ACCEPT [13668:827441]
:INPUT ACCEPT [77:4420]
:OUTPUT ACCEPT [99:6960]
:POSTROUTING ACCEPT [13917:835808]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s ! -o br-ca7b7c08bf3c -j MASQUERADE
-A POSTROUTING -s ! -o docker0 -j MASQUERADE
-A POSTROUTING -s ! -o br-abc609f0ea86 -j MASQUERADE
-A POSTROUTING -s ! -o br-a89c49db4383 -j MASQUERADE
-A POSTROUTING -s ! -o br-87765bee779b -j MASQUERADE
-A POSTROUTING -s ! -o br-857ba8b02838 -j MASQUERADE
-A POSTROUTING -s ! -o br-4ba1e16d8cda -j MASQUERADE
-A POSTROUTING -s ! -o br-e34a8729d703 -j MASQUERADE
-A POSTROUTING -s ! -o br-be3a229dad61 -j MASQUERADE
-A POSTROUTING -s -d -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s -d -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s -d -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-ca7b7c08bf3c -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-abc609f0ea86 -j RETURN
-A DOCKER -i br-a89c49db4383 -j RETURN
-A DOCKER -i br-87765bee779b -j RETURN
-A DOCKER -i br-857ba8b02838 -j RETURN
-A DOCKER -i br-4ba1e16d8cda -j RETURN
-A DOCKER -i br-e34a8729d703 -j RETURN
-A DOCKER -i br-be3a229dad61 -j RETURN
-A DOCKER ! -i br-e34a8729d703 -p tcp -m tcp --dport 10022 -j DNAT --to-destination
-A DOCKER ! -i br-be3a229dad61 -p tcp -m tcp --dport 443 -j DNAT --to-destination
-A DOCKER ! -i br-be3a229dad61 -p tcp -m tcp --dport 80 -j DNAT --to-destination
# Completed on Fri Jul 26 20:38:50 2019
# Generated by iptables-save v1.6.0 on Fri Jul 26 20:38:50 2019
:INPUT DROP [98:5705]
:DOCKER - [0:0]
:f2b-sshd - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -o br-ca7b7c08bf3c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ca7b7c08bf3c -j DOCKER
-A FORWARD -i br-ca7b7c08bf3c ! -o br-ca7b7c08bf3c -j ACCEPT
-A FORWARD -i br-ca7b7c08bf3c -o br-ca7b7c08bf3c -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-abc609f0ea86 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-abc609f0ea86 -j DOCKER
-A FORWARD -i br-abc609f0ea86 ! -o br-abc609f0ea86 -j ACCEPT
-A FORWARD -i br-abc609f0ea86 -o br-abc609f0ea86 -j ACCEPT
-A FORWARD -o br-a89c49db4383 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a89c49db4383 -j DOCKER
-A FORWARD -i br-a89c49db4383 ! -o br-a89c49db4383 -j ACCEPT
-A FORWARD -i br-a89c49db4383 -o br-a89c49db4383 -j ACCEPT
-A FORWARD -o br-87765bee779b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-87765bee779b -j DOCKER
-A FORWARD -i br-87765bee779b ! -o br-87765bee779b -j ACCEPT
-A FORWARD -i br-87765bee779b -o br-87765bee779b -j ACCEPT
-A FORWARD -o br-857ba8b02838 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-857ba8b02838 -j DOCKER
-A FORWARD -i br-857ba8b02838 ! -o br-857ba8b02838 -j ACCEPT
-A FORWARD -i br-857ba8b02838 -o br-857ba8b02838 -j ACCEPT
-A FORWARD -o br-4ba1e16d8cda -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4ba1e16d8cda -j DOCKER
-A FORWARD -i br-4ba1e16d8cda ! -o br-4ba1e16d8cda -j ACCEPT
-A FORWARD -i br-4ba1e16d8cda -o br-4ba1e16d8cda -j ACCEPT
-A FORWARD -o br-e34a8729d703 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e34a8729d703 -j DOCKER
-A FORWARD -i br-e34a8729d703 ! -o br-e34a8729d703 -j ACCEPT
-A FORWARD -i br-e34a8729d703 -o br-e34a8729d703 -j ACCEPT
-A FORWARD -o br-be3a229dad61 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-be3a229dad61 -j DOCKER
-A FORWARD -i br-be3a229dad61 ! -o br-be3a229dad61 -j ACCEPT
-A FORWARD -i br-be3a229dad61 -o br-be3a229dad61 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d ! -i br-e34a8729d703 -o br-e34a8729d703 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d ! -i br-be3a229dad61 -o br-be3a229dad61 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d ! -i br-be3a229dad61 -o br-be3a229dad61 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i br-87765bee779b -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o docker0 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-be3a229dad61 -j DROP
-A f2b-sshd -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2375 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8080 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10080 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9418 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9418 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
# Completed on Fri Jul 26 20:38:50 2019

thx :slight_smile:
And thanks for your time, much appreciated.

# curl -v -H "Host:" http://traefik:80
* Rebuilt URL to: http://traefik:80/
* Hostname was NOT found in DNS cache
*   Trying
* Connected to traefik ( port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Accept: */*
> Host:
< HTTP/1.1 302 Found
< Location:
< Date: Sat, 27 Jul 2019 11:13:40 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
* Connection #0 to host traefik left intact

Oh, yes, it looks like iptable is overloaded o_0.
It's nice to see your problem is tight down to this.

You might want to stop all the running containers (or as much as possible if it is production), stop the Docker Engine, remove and flush all iptables rules, enable ufw and start again. Maybe a host reboot could do this properly?

So then you could be able to work again with your setup working :slight_smile: