5

I need to xdebug something that fails on the server in a docker container and from my laptop I have ran ssh -R 9000:localhost:9000 server and verified the tunnel by telnet localhost 9000. So far so good, I got a connection.

Now, on the server I did 

iptables -t nat -I PREROUTING -p tcp -d 172.17.42.1 --dport 9000 -j DNAT --to 127.0.0.1:9000

Finally I have committed the problematic docker instance and ran 

docker run  --net=host -t  -i snapshot /bin/bash

Inside the container telnet 172.17.42.1 9000 refuses connection.

chx
  • 3,633
  • 6
  • 30
  • 68
  • i'm rather clueless about docker and rather clueless about iptables on that level, so excuse me if this question makes no sense, but maybe since you ran the iptables command outside the container, it isn't recognized inside, what if you run the iptables command inside the container? – barlop Feb 23 '15 at 00:49
  • and can you do any troubleshooting to isolate where the problem is. You have 3 rather involved commands there. The ssh -R, the iptables with PREROUTING and DNAT, and docker. No doubt keep docker. What if you try nc -l -p 1234 (or whatever the nc syntax for get it to listen on a port is), and skip iptables and do docker and within the container do telnet 127.0.0.1:1234 and see if that works. If it fails, then you have a simpler demonstration of the problem - that helps. If it works, then try to build it up till it fails and that will give a better idea of the cause. – barlop Feb 23 '15 at 00:54
  • The ssh -R part works, both telnet and lsof shows that. – chx Feb 23 '15 at 01:35
  • https://askubuntu.com/a/789275/8023 is an answer too. – chx Oct 22 '17 at 09:22

2 Answers2

4

I ran into this same issue, except I had two containers wired together with --link, so --net=host wont work for that situtaiton.

When doing an ssh port forward to the remote host using ssh -R 9000:localhost:9000 server, an lsof -P -i -n may show that the port is bound to the servers loopback device, which looks like this:

sshd 39172 ubuntu 9u IPv4 2941407 0t0 TCP ::1:9000 (LISTEN)

That loopback interface is not available to the network inside of the docker container. I remedied this by adding GatewayPorts yes to the sshd_config file on the server and restarting sshd.

The forwarded port 9000 is then bound to the normal interface and available from inside the docker container. (and from any other host for that matter).

Mixologic
  • 156
  • 3
0

@barlop 's comment has proven very helpful. I have deleted the iptables rule then I tried to run nc -l -p 1234 and then nc -l 127.0.0.1 -p 1234 and then in the container I tried telnet localhost 1234 and it worked. So I tried telnet localhost 9000 and it also worked! I think it didn't before but it seems it does now. So: no need for any iptables rules, it just works with --net=host. However, lsof -i :9000 still doesn't display anything and it's possible I only tested with that before.

Edit: netstat -anl |grep :9000 in the container shows the open port as LISTEN. lsof does not. Weird.

chx
  • 3,633
  • 6
  • 30
  • 68
  • i'm a bit familiar with netstat which I understand covers part of the functionality of lsof. if you do `netstat -apn (or whatever the switches are) | grep :9000`(I don't have netstat output in front of me but I guess that'd be the right grep), are you saying that doesn't show port 9000 open but you can connect to port 9000? Is the server/listening port inside the container? outside the container? or both? And are you running lsof or netstat inside the container? or outside the container? or both? and are you trying to telnet from inside or from outside? btw nc can do telnet `nc server port`. – barlop Feb 23 '15 at 07:04
  • `nc -l -p` was run outside of the container to simulate / rule out SSH as the culprit. `telnet` was ran inside the container to check for a connection for real. – chx Feb 23 '15 at 07:33