not quite working for me

[ecamaj]

I still have issues with csf even when I used this script, which helps with restarts of csf in most part.

The main issue for me is that I cannot access containers from localhost (centos) via "127.0.0.1". For example "curl 127.0.0.1:5432" just hangs. Everything works when accessing with domain name:port.
This is major issue for me, because I would like to set the access only to localhost and use subdomain forwarding to localhost so that ports are not directly accessible but only through subdomain which allows using basic auth and similar features.

I'm still not very handy with "ops" part of "devops", so I might be missing something obvious, sorry about that.

Any help solving this would be much appreciated.

Thanks,
Eddie

[ecamaj]

Of course, when I disable csf and restart docker service, it works from both domain and 127.0.0.1.

[ghost]

Hi Eddie,

I tried to query a webpage using curl http://localhost and curl http://<domain>. Both worked for me.

Could you try to remove the script csfpost.sh and see if it works.

Thanks
Julien

[ecamaj]

No, when I remove csfpost.sh and I restart csf, docker is not accessible at all (both domain and localhost).
Can I give you some details from server maybe?

[ecamaj]

iptables -L -n -t nat:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:5601
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:9200
MASQUERADE  tcp  --  172.17.0.5           172.17.0.5           tcp dpt:8000
MASQUERADE  tcp  --  172.17.0.5           172.17.0.5           tcp dpt:8888
MASQUERADE  tcp  --  172.17.0.5           172.17.0.5           tcp dpt:8889
MASQUERADE  tcp  --  172.17.0.7           172.17.0.7           tcp dpt:80

Chain DOCKER (2 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5601 to:172.17.0.4:5601
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9200 to:172.17.0.4:9200
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 to:172.17.0.5:8000
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8888 to:172.17.0.5:8888
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8889 to:172.17.0.5:8889
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5001 to:172.17.0.7:80

Chain WEAVE (0 references)
target     prot opt source               destination         

[ecamaj]

I just noticed that when I restart docker service, this line in iptables is different:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

goes to:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

And first line in POSTROUTING is added:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL

Smells like a clue. :)

[ghost]

which version of docker do you use?

[ecamaj]

Downgraded little because of docker cloud for which this is latest version ...

root@server1 [/etc/init.d]# docker version
Client:
 Version:      1.9.1-cs2
 API version:  1.21
 Go version:   go1.4.3
 Git commit:   4ade326
 Built:        Mon Nov 30 21:56:07 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.9.1-cs2
 API version:  1.21
 Go version:   go1.4.3
 Git commit:   4ade326
 Built:        Mon Nov 30 21:56:07 UTC 2015
 OS/Arch:      linux/amd64

[ghost]

i see that you are using Weave. Maybe something with that?

[ecamaj]

no, I even don't know what's that ... I think docker cloud uses that.
Anyway, from what I sent you - changes of iptables before and after - you don't think that the exact line mentioning 127.0.0.1 holds information about the problem?

Don't this means something like (not)127.0.0.0/8?

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

[ghost]

i checked 2 of my servers and they both have that line. And not reporting prob.

[ecamaj]

Interesting... and do you have this line in your servers?

Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

[ghost]

i have the same as in your first output

Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

[ecamaj]

Then I don't know.
Can I send you something that would lead you to the problem why restarting CSF kills routing to localhost:port exposed previously by Docker?

[ghost]

sure

[ecamaj]

:) that was a question - what to send for you to check? I'm not sure.

[ghost]

:) sorry, didnt catch that.

access to the server :D

[ecamaj]

:) anything else?
send some output? :)

[ghost]

verbose output of iptables:

• iptables -nvL
• iptables -nvL -t nat

output of docker: docker ps

[ecamaj]

any thoughts?
thanks

[ghost]

the output that you sent was with or without csfpost?

[ecamaj]

Hi, did you had time to check this out? Just to remove it from the list... :)
This would make script complete.
thanks

[ghost]

Hi Eddie,

Let's try teamviewer (http://www.teamviewer.com/) so I can see your terminal.

[ecamaj]

Sure, http://get.teamviewer.com/v11/s03239658

[ghost]

contact me by email

[ecamaj]

Can't find one... I'm ready to accept connection now. :)

[ghost]

do a git log on the clone of the repo

[ecamaj]

Solved, I guess Julien will merge it in the script.