Curl from container A to B blocked

b0r1sp · July 26, 2019, 1:12pm

I use traefik as a reverse proxy for Docker containers.

Consider 2 containers with having subdomain A and Subdomain B of example.com which is pointing to the proxy.

Log into container of subdomain A docker exec -it containerA bash
perform curl -v b.example.com ---> this will not work
ping b.example.com from inside of containerA does resolve to correct IP of host...

Any traffic coming from the backend seems to be blocked from traefik, can't see what I'm doing wrong.

Background: trying to authorize an app using the absolute url.

Using 1.7 and an average setup.
Thanks for help!

dduportal · July 26, 2019, 2:51pm

Hi @b0r1sp, can you provide us a reproduction example to help?
Because without seeing your Docker configuration and outputs, it is hard to guess the issue (Output of docker info, any docker * commands you used, or the docker-compose.yml file, output of ping -c3 b.example.com and curl -v ...).

For information, ping works at the "Address" layer (3 - IP). As it triggers DNS requests for solving domains, it shows that the DNS resolution is working in containerA. But then, you need the verify that:

The port 80 (I assume HTTP based on the curl command you provided) is used on the Host's netowrk interface, by Traefik, and that Tarefik has an entrypoint configured to receive traffic on this 80
There is no firewall blocking requests from the container to the host's IP

Also, when you say:

curl -v b.example.com ---> this will not work

What do you mean by "not working"? What is the error you see?

b0r1sp · July 26, 2019, 3:51pm

Sorry, for not being specific enough!
It's a working setup with traefik as reverse proxy listening on ports 80 and 443. Containers in the backend share the same network as the proxy. Basically it is the same setup as described here: https://docs.traefik.io/user-guide/docker-and-lets-encrypt/

Assume that both containers in the backends are nginx servers and I'd need to curl the domain of container B, but from inside container A.

Results from inside container A (docker exec -it containerA bash)

a)
curl -v b.example.com ----> results in a timeout.
stdout:

*   Trying 139.xxx.171.xx...
* TCP_NODELAY set

b)
curl -v b (assuming 'b' is the hostname of container B) -----> success
stdout:

* Rebuilt URL to: b/
* Trying 172.27.0.6...
* TCP_NODELAY set
* Connected to b (172.27.0.6) port 80 (#0)
> GET / HTTP/1.1
> Host: b
> User-Agent: curl/7.58.0
> Accept: */*

Results from internet e.g. my local machine:

curl -v b.example.com ------> success
stdout:

* Trying 139.xxx.171.xx...
* TCP_NODELAY set
* Connected to b.example.com (139.xxx.171.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* ....

My problem is to understand what are the troubles in case 1a). I know this is something network related but can't get my head around it.

dduportal · July 26, 2019, 4:08pm

Hi @b0r1sp, can you share your docker-compose.yml please, without more context I cannot help, only guess on the wild...

FYI, the error of the curl in 1)a. is related to the transport level: your container is not able to establish a connexion to the IP 139.xxx.171.xx... on the port 80. My guess is that you are using Docker inside a virtual machine (Docker4Mac, docker-machine, Docker4Windows), etc., and that VM is not able to route network packets to this IP (or is not allowed by your host FW). Can you detail more your config here?

Also, assuming that Traefik is running in a container and its port 80 is published on all interfaces visible to the Docker Engine (e.g. docker run -p 80:80 ... or

ports:
  - "80:80"

in docker compose), then you might want to try the following curl command:

curl -v -H "Host: a.example.com" http://172.17.0.1:80

where 172.17.0.1 is the IP of the interface docker0 that might change on your configuration. You can retrieve this IP with this command: docker run --rm -ti alpine ip route | grep default.

b0r1sp · July 26, 2019, 4:23pm

Thanks for help.

No, I'm on a Linode machine.

Result of curl -v -H "Host: a.example.com" http://172.17.0.1:80 (from host machine)

* Rebuilt URL to: http://172.17.0.1:80/
*   Trying 172.17.0.1...
* Connected to 172.17.0.1 (172.17.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: a.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Location: https://a.example.com:443/
< Date: Fri, 26 Jul 2019 16:20:41 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host 172.17.0.1 left intact

Same result for curl -v -H "Host: b.example.com" http://172.17.0.1:80

Relevant part of docker-compose file of container A or B:

version: '2'
services:
....

  labels:
        - traefik.b.backend=b.example.com
        - traefik.b.frontend.rule=Host:b.example.com
        - traefik.b.frontend.redirect.entryPoint=https
        - traefik.b.frontend.entryPoints=http,https
        - traefik.port=80
        - traefik.enable=true
        - traefik.docker.network=proxy
networks:
  proxy:
    external: true

docker-compose traefik:

version: '2'

services:
  traefik:
    image: traefik:1.7-alpine
    container_name: traefik
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./conf/traefik.toml:/traefik.toml
      - ./conf/acme.json:/acme.json

networks:
  proxy:
    external: true

b0r1sp · July 26, 2019, 4:33pm

curl -v -H "Host: b.example.com" http://172.17.0.1:80 from inside container A gives still a timeout.

b0r1sp · July 26, 2019, 4:40pm

BTW: curl -v google.com from inside container is working...

dduportal · July 26, 2019, 5:16pm

Can you give use the whole docker-compose.yml for the services a and b please? We need to know their configuration, particularly for network and DNS.
The fact that the container for service A can reach Internet but not the IP 172.17.0.1 means that there is an iptable rule blocking "egress" communication to this network segment. Can you give us the result of (for all containers):

ip route && ip addr

please?

For information, your issue is absolutely not related to Traefik, as you saw that it's working. This is related to the combined network of your Linode + Docker machine.

b0r1sp · July 26, 2019, 6:12pm

curl -v -H "Host: b.example.com" http://172.17.0.1:80 from host is working.

Here you are:

version: '2'

services:
  nginx-a:
    image: nginx:1.10
    labels:
      - 'traefik.ngnxa.backend=test-a.example.com'
      - 'traefik.ngnxa.frontend.rule=Host:test-a.example.com'
      - 'traefik.ngnxa.frontend.redirect.entryPoint=https'
      - 'traefik.ngnxa.frontend.entryPoints=http,https'
      - 'traefik.ngnxa.port=80'
      - 'traefik.enable=true'
      - 'traefik.docker.network=proxy'
    networks:
      - proxy

  nginx-b:
    image: nginx:1.10
    labels:
      - 'traefik.ngnxb.backend=test-b.example.com'
      - 'traefik.ngnxb.frontend.rule=Host:test-b.example.com'
      - 'traefik.ngnxb.frontend.redirect.entryPoint=https'
      - 'traefik.ngnxb.frontend.entryPoints=http,https'
      - 'traefik.ngnxb.port=80'
      - 'traefik.enable=true'
      - 'traefik.docker.network=proxy'
    networks:
      - proxy
      
networks:
  proxy:
    external: true

ip route and ip addr from within container:

ip route && ip addr
default via 172.27.0.1 dev eth0 
172.27.0.0/16 dev eth0  proto kernel  scope link  src 172.27.0.10 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
254: eth0@if255: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:1b:00:0a brd ff:ff:ff:ff:ff:ff
    inet 172.27.0.10/16 scope global eth0
       valid_lft forever preferred_lft forever

dduportal · July 26, 2019, 7:53pm

Based on your configuration, there should not be any timeout, as the IP 172.17.0.1 is the gateway.
So chances are great that there is a firewall rule blocking "egress" requests from the container to the docker0 interface itself.

What is the result of curl -v -H "Host: a.example.com" http://traefik:80 from inside the container of a?

Yes, but this is different: this is an "ingress" traffic from the host, to the docker0 interface. Your issue here is that there is something blocking the traffic from the virtual interface of the container a, only when it reaches diretly the interfaces of your host (either 134.xxx , either docker0).

If you (temporarly of course ) disable the firewall of this machine, does it work?

dduportal · July 26, 2019, 8:03pm

I confirm that I tested your example on:

Docker4Mac
Docker4Windows
Ubuntu 18.10 with Docker CE
Centos 7 with Docker CE

in the 4 cases, I was able to reach the IP from nginx, and when DNS resolution was correctly configured (either with /etc/hosts or with a DNS server outside the host), it was working.

So you did well on the configuration of docker-compose files

b0r1sp · July 26, 2019, 8:56pm

Aah, ok, the fw was the right hint, I can see some light now

Disabling ufw enables curl to fetch the url from within any container as desired.

Poking in iptables, seems to me that docker itself messes a lot with iptables.

# Generated by iptables-save v1.6.0 on Fri Jul 26 20:38:50 2019
*nat
:PREROUTING ACCEPT [13668:827441]
:INPUT ACCEPT [77:4420]
:OUTPUT ACCEPT [99:6960]
:POSTROUTING ACCEPT [13917:835808]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.19.0.0/16 ! -o br-ca7b7c08bf3c -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.16.0/20 ! -o br-abc609f0ea86 -j MASQUERADE
-A POSTROUTING -s 172.30.0.0/16 ! -o br-a89c49db4383 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-87765bee779b -j MASQUERADE
-A POSTROUTING -s 192.168.112.0/20 ! -o br-857ba8b02838 -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-4ba1e16d8cda -j MASQUERADE
-A POSTROUTING -s 172.28.0.0/16 ! -o br-e34a8729d703 -j MASQUERADE
-A POSTROUTING -s 172.27.0.0/16 ! -o br-be3a229dad61 -j MASQUERADE
-A POSTROUTING -s 172.28.0.3/32 -d 172.28.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.27.0.4/32 -d 172.27.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.27.0.4/32 -d 172.27.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-ca7b7c08bf3c -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-abc609f0ea86 -j RETURN
-A DOCKER -i br-a89c49db4383 -j RETURN
-A DOCKER -i br-87765bee779b -j RETURN
-A DOCKER -i br-857ba8b02838 -j RETURN
-A DOCKER -i br-4ba1e16d8cda -j RETURN
-A DOCKER -i br-e34a8729d703 -j RETURN
-A DOCKER -i br-be3a229dad61 -j RETURN
-A DOCKER ! -i br-e34a8729d703 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 172.28.0.3:22
-A DOCKER ! -i br-be3a229dad61 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.27.0.4:443
-A DOCKER ! -i br-be3a229dad61 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.27.0.4:80
COMMIT
# Completed on Fri Jul 26 20:38:50 2019
# Generated by iptables-save v1.6.0 on Fri Jul 26 20:38:50 2019
*filter
:INPUT DROP [98:5705]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:f2b-sshd - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-ca7b7c08bf3c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ca7b7c08bf3c -j DOCKER
-A FORWARD -i br-ca7b7c08bf3c ! -o br-ca7b7c08bf3c -j ACCEPT
-A FORWARD -i br-ca7b7c08bf3c -o br-ca7b7c08bf3c -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-abc609f0ea86 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-abc609f0ea86 -j DOCKER
-A FORWARD -i br-abc609f0ea86 ! -o br-abc609f0ea86 -j ACCEPT
-A FORWARD -i br-abc609f0ea86 -o br-abc609f0ea86 -j ACCEPT
-A FORWARD -o br-a89c49db4383 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a89c49db4383 -j DOCKER
-A FORWARD -i br-a89c49db4383 ! -o br-a89c49db4383 -j ACCEPT
-A FORWARD -i br-a89c49db4383 -o br-a89c49db4383 -j ACCEPT
-A FORWARD -o br-87765bee779b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-87765bee779b -j DOCKER
-A FORWARD -i br-87765bee779b ! -o br-87765bee779b -j ACCEPT
-A FORWARD -i br-87765bee779b -o br-87765bee779b -j ACCEPT
-A FORWARD -o br-857ba8b02838 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-857ba8b02838 -j DOCKER
-A FORWARD -i br-857ba8b02838 ! -o br-857ba8b02838 -j ACCEPT
-A FORWARD -i br-857ba8b02838 -o br-857ba8b02838 -j ACCEPT
-A FORWARD -o br-4ba1e16d8cda -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4ba1e16d8cda -j DOCKER
-A FORWARD -i br-4ba1e16d8cda ! -o br-4ba1e16d8cda -j ACCEPT
-A FORWARD -i br-4ba1e16d8cda -o br-4ba1e16d8cda -j ACCEPT
-A FORWARD -o br-e34a8729d703 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e34a8729d703 -j DOCKER
-A FORWARD -i br-e34a8729d703 ! -o br-e34a8729d703 -j ACCEPT
-A FORWARD -i br-e34a8729d703 -o br-e34a8729d703 -j ACCEPT
-A FORWARD -o br-be3a229dad61 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-be3a229dad61 -j DOCKER
-A FORWARD -i br-be3a229dad61 ! -o br-be3a229dad61 -j ACCEPT
-A FORWARD -i br-be3a229dad61 -o br-be3a229dad61 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.28.0.3/32 ! -i br-e34a8729d703 -o br-e34a8729d703 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.27.0.4/32 ! -i br-be3a229dad61 -o br-be3a229dad61 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.27.0.4/32 ! -i br-be3a229dad61 -o br-be3a229dad61 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i br-87765bee779b -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-ca7b7c08bf3c -j DROP
-A DOCKER-ISOLATION -i br-ca7b7c08bf3c -o docker0 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-abc609f0ea86 -j DROP
-A DOCKER-ISOLATION -i br-abc609f0ea86 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-a89c49db4383 -j DROP
-A DOCKER-ISOLATION -i br-a89c49db4383 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-87765bee779b -j DROP
-A DOCKER-ISOLATION -i br-87765bee779b -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-857ba8b02838 -j DROP
-A DOCKER-ISOLATION -i br-857ba8b02838 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-4ba1e16d8cda -j DROP
-A DOCKER-ISOLATION -i br-4ba1e16d8cda -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -i br-be3a229dad61 -o br-e34a8729d703 -j DROP
-A DOCKER-ISOLATION -i br-e34a8729d703 -o br-be3a229dad61 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A f2b-sshd -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2375 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8080 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10080 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 9418 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 9418 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Fri Jul 26 20:38:50 2019

b0r1sp · July 26, 2019, 8:57pm

thx
And thanks for your time, much appreciated.

b0r1sp · July 27, 2019, 11:15am

# curl -v -H "Host: a.example.com" http://traefik:80
* Rebuilt URL to: http://traefik:80/
* Hostname was NOT found in DNS cache
*   Trying 172.27.0.4...
* Connected to traefik (172.27.0.4) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Accept: */*
> Host: a.example.com
> 
< HTTP/1.1 302 Found
< Location: https://a.example.com:443/
< Date: Sat, 27 Jul 2019 11:13:40 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host traefik left intact

dduportal · July 27, 2019, 5:10pm

Oh, yes, it looks like iptable is overloaded o_0.
It's nice to see your problem is tight down to this.

You might want to stop all the running containers (or as much as possible if it is production), stop the Docker Engine, remove and flush all iptables rules, enable ufw and start again. Maybe a host reboot could do this properly?

So then you could be able to work again with your setup working

Topic		Replies	Views
Looking for a way for Traefik to ignore a host match to allow a different local server to process Traefik v2 docker	5	1725	December 3, 2022
Can't get proxying to external server to work with Docker Traefik v2 docker	3	1399	May 2, 2024
Bad Gateway - Run out of ideas! (Newbie) Traefik v2 docker	1	482	March 31, 2020
Traefik as reverse-proxy in front of 2 docker containers exposing one port each Traefik v2 docker	9	9388	January 5, 2021
Help - Traefik v1 will reverse proxy to local docker containers, but not those on a remote host Traefik v1 docker	2	444	October 16, 2019

Curl from container A to B blocked

Related topics