Docker/iptables networking sanity check

[cyb3n3tic]

I'm struggling to get a Hedgehog sensor to connect to Malcolm still (Connection refused) and have been digging in to iptables on the Malcolm host. Could someone sanity check the below for me please as it seems to me the IP assigned to Opensearch does not align with what I see in iptables (for port 9200 specifically)

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-035c5311173a * 0.0.0.0/0 0.0.0.0/0

   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            127.0.0.1            tcp dpt:8022 to:172.18.0.4:22
   **0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            127.0.0.1            tcp dpt:9200 to:172.18.0.15:9200**
   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            127.0.0.1            tcp dpt:5601 to:172.18.0.15:5601
   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            0.0.0.0/0            tcp dpt:488 to:172.18.0.15:488
   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            127.0.0.1            tcp dpt:5044 to:172.18.0.16:5044
   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            127.0.0.1            tcp dpt:5045 to:172.18.0.17:5045
   0        0 DNAT       tcp  --  !br-035c5311173a *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.18.0.15:443

docker network inspect malcolm_default

            "Name": "malcolm_opensearch_1",
            "EndpointID": "ab4fcf74ad02e9f6ebc51404434e9d77216a1f30095533da3375bb374a7e6a17",
            "MacAddress": "02:42:ac:12:00:09",
            **"IPv4Address": "172.18.0.9/16"**,
            "IPv6Address": ""

[mmguero]

Have you double-checked the nginx-proxy's ports section in you docker-compose file? It's got something along the lines of 0.0.0.0:9200:9200?

Honestly I'm not an iptables expert, I generally let ufw handle it for me (e.g., sudo ufw allow 9200/tcp). I guess you could check your /etc/docker/daemon.json file and make sure there's nothing weird networking-wise in there?

[cyb3n3tic]

So nothing wrong in docker-compose or daemon,json it seems. I have the below for NGINX,
ports:
- "0.0.0.0:443:443"
- "0.0.0.0:488:488"
- "0.0.0.0:5601:5601"
- "0.0.0.0:9200:9200"

But if I run docker port malcolm_nginx-proxy_1 I get the below output,
9200/tcp -> 127.0.0.1:9200
443/tcp -> 0.0.0.0:443
488/tcp -> 0.0.0.0:488
5601/tcp -> 127.0.0.1:5601

netstat verifies the same for 9200
tcp 0 0 127.0.0.1:9200 0.0.0.0:* LISTEN 1306/docker-proxy

Which explains why I can curl 443 and 448 but neither 9200 or 5601

I just can't work out what is interfering to cause this. Host is vanilla Ubuntu build on GCP with Malcolm installed from script.

I'll keep poking at it!

[mmguero]

Doesn't make sense to me, what's in the compose file and what the output of those commands is showing is completely contradictory. There are two docker-compose files in a repository checkout (one is named "-standalone"), maybe you're editing one and using the other? Check both? I'm stymied.

[cyb3n3tic]

Join the club :) Thanks anyway

[cyb3n3tic]

Finally solved in so much as I created a new vm, cloned from github and installed again. No idea what I did differently but I ensured I followed the guide to the letter and now have a functioning Malcolm instance which seems to be working as expected. Now on to Hedgehog sensor which has at least passed the forwarding configuration stage this time around where I was previously getting connection refused error 400.

Thanks for the help and support.