Firewalld with docker opened ports are not open

English Network/Internet
#1

hey guys,
i just set up a server (as transactional server, not as VM) with docker (managed via portainer) on it.

i’m a home user, so please excuse if i’m missing something here

i’m trying to access a container via port 55400.

:~> ss -tuna | grep 55400
tcp   LISTEN 0      4096         0.0.0.0:55400        0.0.0.0:*
tcp   LISTEN 0      4096            [::]:55400           [::]:*

so the server is listening on this port, and i’m guessing so it’s opened.

looking into iptables gives me this (don’t know how to interpret this, just for completeness)

:~> sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 26160 packets, 9940K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
33172   17M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
16351   15M ACCEPT     all  --  *      br-4d77e78baf05  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-4d77e78baf05  0.0.0.0/0            0.0.0.0/0
16821 2403K ACCEPT     all  --  br-4d77e78baf05 !br-4d77e78baf05  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-4d77e78baf05 br-4d77e78baf05  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-f44f1b66126f  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-f44f1b66126f  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-f44f1b66126f !br-f44f1b66126f  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-f44f1b66126f br-f44f1b66126f  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 30941 packets, 9712K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8000
    0     0 ACCEPT     tcp  --  !br-4d77e78baf05 br-4d77e78baf05  0.0.0.0/0            172.19.0.2           tcp dpt:55400
    0     0 ACCEPT     tcp  --  !br-4d77e78baf05 br-4d77e78baf05  0.0.0.0/0            172.19.0.2           tcp dpt:8444

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
33172   17M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

so with this i tried a

nmap -p 55400 -v 192.168.1.112

from my windows pc, which gives me

PORT      STATE  SERVICE
55400/tcp closed unknown

i’m investigating this since days still unable to establish a connection, and i don’t see why

#2

The simple test looks to me to switch the firewall off for a few minutes and then check. Then you know if the firewall is to blame or not.

1 Like
#3

sry, thought it was clear from the context

so at first after sudo systemctl stop firewalld the port was open

PORT      STATE SERVICE
55400/tcp open  unknown

but after some trying, the port suddenly was closed
found out, that “suddenly” was after restarting docker, so when stopping the firewall the port is opened until i restart docker (fw still down)

just checked the firewall with sudo systemctl status firewalld (after a complete restart) and saw this

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2023-07-03 22:03:09 CEST; 21s ago
       Docs: man:firewalld(1)
   Main PID: 892 (firewalld)
      Tasks: 2 (limit: 4915)
     CGroup: /system.slice/firewalld.service
             └─ 892 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-4d77e78baf05 -o br-4d77e78baf05 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jul 03 22:03:16 server firewalld[892]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

PS: also just setup an UrBackup-Container which works all fine.
ports 55413-55415 are even with started firewall open

#4

solution:

by following this guide How to secure a docker host using firewalld i were able to open the ports.
Additionally after the guide i had the docker interface two times in my config so i uninstalled firewalld → reboot → reinstalled firewalld → reboot → works