What kind of problem? The same as before?
If the container insists on setting a firewall deny rule, you could try to install a firewall and open the ports you need in addition.
What kind of problem? The same as before?
If the container insists on setting a firewall deny rule, you could try to install a firewall and open the ports you need in addition.
What kind of problem? The same as before?
If the container insists on setting a firewall deny rule, you could try to install a firewall and open the ports you need in addition.
no, not the same (SSH and Web interface are ok now) but i still can't go to portainer when the container is launched
to resume :
if i do docker stop transmission-openvpn, and i reboot, it's ok
but if i start it in portainer, i lose the access to portainer. but curl -v http://localhost:9000 is ok
i use those parameters of the container :
UFW_EXTRA_PORTS | 22,80,443,9000,8000,135,137,138,139,445 |
As i understood, with the 2nd line, all machine on the same gateway than the NAS should pass
UFW_ALLOW_GW_NET | true |
ogk, give me the output of docker ps -a amd the list of firewall rules.
root@bart-nas:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0d9e42764826 haugene/transmission-openvpn:latest "dumb-init /etc/open…" 5 days ago Exited (0) 26 hours ago transmission-openvpn
14d2d64581c4 portainer/portainer-ce "/portainer" 6 days ago Up 25 hours 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp, 9443/tcp portainer
i don't know how to have to FW rules, but as you see, portainer is on the 9000 and i have it in UFW_EXTRA_PORTS
You get the firewall rules with the iptables -L and iptables-legacy -L commands you already learned.
The transmission container is stopped, can you please check the accessability with and without having the container running.
I am still not exactly sure, how this situation happens .
Ho ok, sorry, i didn't make the link between what you asked and the commands. This is :
When Container stoped, portainer reachable :
root@bart-nas:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:8000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Alles anzeigen
And
root@bart-nas:~# iptables-legacy -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and after reboot, container is started, i can't reach portainer , that's weird, the 9000 port is on the list :
root@bart-nas:~# iptables-legacy -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Alles anzeigen
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:51413
ACCEPT udp -- anywhere anywhere udp dpt:51413
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:9091
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:9091
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:ssh
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:22
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:80
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:https
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:443
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:9000
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:9000
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:8000
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:8000
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:epmap
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:epmap
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:netbios-ns
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:netbios-ns
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:netbios-dgm
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:netbios-dgm
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:netbios-ssn
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:netbios-ssn
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:microsoft-ds
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:microsoft-ds
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Alles anzeigen
and the end :
root@bart-nas:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:8000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Alles anzeigen
From what I see:
In short: there are conflicting firewall rules becasue (i guess to programs use different approaches for setting firewall rules)
I am not an expert on this (allways use easy ufw frontend), but you can try
- to switch in the OMV UI which IP-tables docker is using and try if this works or
- ask the maintainers of the transmission image for a solution. You should not be the only one having this issue with this docker image.
Or you have to learn ip firewalling and build your own rules (lot of work)
thanks for all your answers and the time you spend to try to help me.
I don't understand what you say with " to switch in the OMV UI which IP-tables docker is using and try if this works or" i don't have anything in OMV UI about IP-tables or firewall or i don't find them
I'm looking on Github to try to find a help ...
I've find some infos in the container image :
enabling firewall
Firewall is active and enabled on system startup
allowing 51413 through the firewall
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 9091
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 22
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 80
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 443
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 9000
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 8000
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 135
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 137
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 138
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 139
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 445
Skipping adding existing rule
adding route to local network 192.168.0.0/24 via 192.168.0.1 dev enp3s0
RTNETLINK answers: File exists
allowing 192.168.0.0/24 through the firewall to port 9091
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 22
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 80
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 443
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 9000
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 8000
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 135
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 137
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 138
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 139
Skipping adding existing rule
allowing 192.168.0.0/24 through the firewall to port 445
Skipping adding existing rule
Alles anzeigen
the thing i don't understand is port 22 (SSH), 80 (web interface) are ok , but not the 9000 (portainer) but in the conf and log , they are the same ... I continue to search, if i find, i'll post here in case someone have the same problem
The difference regardingthe ports is that 22, 80 and 443 are served on the host, but 9000 is in a docker container and iptables needs to allow forwarding packages sent to 192.186.0.31 to the docker container with IP 172.17.0.2
Here are the rules when it is working (extract only)
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:8000
Alles anzeigen
on github someone just told me to put ENABLE_FW = false and it's work, because i don't have any firewall anymore.
That's ok for me so far
Thank you very much for all the help, we can consider this as closed
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!