Docker open ports in iptables (rabbitmq)Without iptables, telnet smtp.gmail.com 465 fine. With, no go....
Why do neural networks need so many training examples to perform?
Using AWS Fargate as web server
Can chords be played on the flute?
Sometimes a banana is just a banana
How to properly claim credit for peer review?
Should I choose Itemized or Standard deduction?
What is the purpose of easy combat scenarios that don't need resource expenditure?
How to avoid being sexist when trying to employ someone to function in a very sexist environment?
I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?
How to mitigate "bandwagon attacking" from players?
Meth dealer reference in Family Guy
What to do when being responsible for data protection in your lab, yet advice is ignored?
How to define a macro with multiple optional parameters?
Why is working on the same position for more than 15 years not a red flag?
Find the number of ways to express 1050 as sum of consecutive integers
Is the theory of the category of topological spaces computable?
Predict mars robot position
Can a person refuse a presidential pardon?
Can a hotel cancel a confirmed reservation?
Wanted: 5.25 floppy to usb adapter
Which aircraft had such a luxurious-looking navigator's station?
How to use a mathematical expression as xticklable
How Should I Define/Declare String Constants
Is my plan for fixing my water heater leak bad?
Docker open ports in iptables (rabbitmq)
Without iptables, telnet smtp.gmail.com 465 fine. With, no go. However, ports outbound open…?iptables port forward forwardingFsockOpen problem with Iptables inside OpenVZ VMUnable to make outbound SNMP connections when IPTables is enabledForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringIptables port forwarding for specific host dd-wrt/tomatoiptables fails to load nf_conntrack_ftpiptables outgoing default policy is accept, but some ports appear blockedCan't access docker bind port from public IP
I'm having a docker image based on
rabbitmq.Nothing in my Dockerfile specifies anything about ports.
I bind the usual rabbitmq ports (5671, 5672 and 15672) to my custom ports by running my instance as follows:
docker run -d -p $someport:5671 -p 127.0.0.1::5672 -p $somemgtport:15672 myimage
There is nothing in my iptables INPUT chain, and the FORWARD chain is filled with the usual docker stuff.
The problem
When $somemgtport is different from 15672 I can't access to it (the rabbitmq management interface via HTTP) from the outside world.
But it seems that I used the -p flag correctly because curl https://localhost:$somemgtport works as expected (as well as the amqp calls to $someport).
When running, the iptables DOCKER chain is the following:
Chain DOCKER (1 references)
target prot opt in out source destination
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:15672
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:5671
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:amqp
So it doesn't open the ports $someport and $somemgtport but rather the ports that are correspond to the "inside" of the container: 5671 and 15672 (the ones from rabbitmq).
=> it seems to me that it's doing exactly the contrary to what I would expect...!
What did I do wrong with the docker run command?
NB: I want other ports than the default ones because I'm running 2 instances of rabbitmq on the same machine.
Update - Here's a partial output of netstat -pln (with someport=55001 and somemgtport=65002):
tcp6 0 0 :::55001 :::* LISTEN 29613/docker-proxy
tcp6 0 0 :::65002 :::* LISTEN 29622/docker-proxy
netstat -pln | grep 15672 has no output
iptables docker rabbitmq
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
bumped to the homepage by Community♦ 12 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm having a docker image based on
rabbitmq.Nothing in my Dockerfile specifies anything about ports.
I bind the usual rabbitmq ports (5671, 5672 and 15672) to my custom ports by running my instance as follows:
docker run -d -p $someport:5671 -p 127.0.0.1::5672 -p $somemgtport:15672 myimage
There is nothing in my iptables INPUT chain, and the FORWARD chain is filled with the usual docker stuff.
The problem
When $somemgtport is different from 15672 I can't access to it (the rabbitmq management interface via HTTP) from the outside world.
But it seems that I used the -p flag correctly because curl https://localhost:$somemgtport works as expected (as well as the amqp calls to $someport).
When running, the iptables DOCKER chain is the following:
Chain DOCKER (1 references)
target prot opt in out source destination
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:15672
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:5671
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:amqp
So it doesn't open the ports $someport and $somemgtport but rather the ports that are correspond to the "inside" of the container: 5671 and 15672 (the ones from rabbitmq).
=> it seems to me that it's doing exactly the contrary to what I would expect...!
What did I do wrong with the docker run command?
NB: I want other ports than the default ones because I'm running 2 instances of rabbitmq on the same machine.
Update - Here's a partial output of netstat -pln (with someport=55001 and somemgtport=65002):
tcp6 0 0 :::55001 :::* LISTEN 29613/docker-proxy
tcp6 0 0 :::65002 :::* LISTEN 29622/docker-proxy
netstat -pln | grep 15672 has no output
iptables docker rabbitmq
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
bumped to the homepage by Community♦ 12 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Can you share the output ofnetstat -pln | grep 15672inside the container?
– ronnix
Feb 27 '15 at 16:02
add a comment |
I'm having a docker image based on
rabbitmq.Nothing in my Dockerfile specifies anything about ports.
I bind the usual rabbitmq ports (5671, 5672 and 15672) to my custom ports by running my instance as follows:
docker run -d -p $someport:5671 -p 127.0.0.1::5672 -p $somemgtport:15672 myimage
There is nothing in my iptables INPUT chain, and the FORWARD chain is filled with the usual docker stuff.
The problem
When $somemgtport is different from 15672 I can't access to it (the rabbitmq management interface via HTTP) from the outside world.
But it seems that I used the -p flag correctly because curl https://localhost:$somemgtport works as expected (as well as the amqp calls to $someport).
When running, the iptables DOCKER chain is the following:
Chain DOCKER (1 references)
target prot opt in out source destination
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:15672
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:5671
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:amqp
So it doesn't open the ports $someport and $somemgtport but rather the ports that are correspond to the "inside" of the container: 5671 and 15672 (the ones from rabbitmq).
=> it seems to me that it's doing exactly the contrary to what I would expect...!
What did I do wrong with the docker run command?
NB: I want other ports than the default ones because I'm running 2 instances of rabbitmq on the same machine.
Update - Here's a partial output of netstat -pln (with someport=55001 and somemgtport=65002):
tcp6 0 0 :::55001 :::* LISTEN 29613/docker-proxy
tcp6 0 0 :::65002 :::* LISTEN 29622/docker-proxy
netstat -pln | grep 15672 has no output
iptables docker rabbitmq
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
I'm having a docker image based on
rabbitmq.Nothing in my Dockerfile specifies anything about ports.
I bind the usual rabbitmq ports (5671, 5672 and 15672) to my custom ports by running my instance as follows:
docker run -d -p $someport:5671 -p 127.0.0.1::5672 -p $somemgtport:15672 myimage
There is nothing in my iptables INPUT chain, and the FORWARD chain is filled with the usual docker stuff.
The problem
When $somemgtport is different from 15672 I can't access to it (the rabbitmq management interface via HTTP) from the outside world.
But it seems that I used the -p flag correctly because curl https://localhost:$somemgtport works as expected (as well as the amqp calls to $someport).
When running, the iptables DOCKER chain is the following:
Chain DOCKER (1 references)
target prot opt in out source destination
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:15672
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:5671
ACCEPT tcp -- !docker0 docker0 anywhere xyz tcp dpt:amqp
So it doesn't open the ports $someport and $somemgtport but rather the ports that are correspond to the "inside" of the container: 5671 and 15672 (the ones from rabbitmq).
=> it seems to me that it's doing exactly the contrary to what I would expect...!
What did I do wrong with the docker run command?
NB: I want other ports than the default ones because I'm running 2 instances of rabbitmq on the same machine.
Update - Here's a partial output of netstat -pln (with someport=55001 and somemgtport=65002):
tcp6 0 0 :::55001 :::* LISTEN 29613/docker-proxy
tcp6 0 0 :::65002 :::* LISTEN 29622/docker-proxy
netstat -pln | grep 15672 has no output
iptables docker rabbitmq
iptables docker rabbitmq
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
edited Mar 2 '15 at 15:33
lajarre
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
asked Feb 27 '15 at 12:22
lajarrelajarre
1368
1368
bumped to the homepage by Community♦ 12 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 12 hours ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Can you share the output ofnetstat -pln | grep 15672inside the container?
– ronnix
Feb 27 '15 at 16:02
add a comment |
Can you share the output ofnetstat -pln | grep 15672inside the container?
– ronnix
Feb 27 '15 at 16:02
Can you share the output of
netstat -pln | grep 15672 inside the container?– ronnix
Feb 27 '15 at 16:02
Can you share the output of
netstat -pln | grep 15672 inside the container?– ronnix
Feb 27 '15 at 16:02
add a comment |
1 Answer
1
active
oldest
votes
Deprecation Notice: That question is outdated, whatever might have created it at the time doesn't exist anymore. Docker stopped using iptables (to achieve port redirection) a long time ago, the network layer was rewritten from scratch at least twice since the question was posted.
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f671870%2fdocker-open-ports-in-iptables-rabbitmq%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Deprecation Notice: That question is outdated, whatever might have created it at the time doesn't exist anymore. Docker stopped using iptables (to achieve port redirection) a long time ago, the network layer was rewritten from scratch at least twice since the question was posted.
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
add a comment |
Deprecation Notice: That question is outdated, whatever might have created it at the time doesn't exist anymore. Docker stopped using iptables (to achieve port redirection) a long time ago, the network layer was rewritten from scratch at least twice since the question was posted.
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
add a comment |
Deprecation Notice: That question is outdated, whatever might have created it at the time doesn't exist anymore. Docker stopped using iptables (to achieve port redirection) a long time ago, the network layer was rewritten from scratch at least twice since the question was posted.
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
Deprecation Notice: That question is outdated, whatever might have created it at the time doesn't exist anymore. Docker stopped using iptables (to achieve port redirection) a long time ago, the network layer was rewritten from scratch at least twice since the question was posted.
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
answered Apr 29 '17 at 21:32
user5994461user5994461
1,392920
1,392920
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f671870%2fdocker-open-ports-in-iptables-rabbitmq%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Can you share the output of
netstat -pln | grep 15672inside the container?– ronnix
Feb 27 '15 at 16:02