Docker not working after firewall deployed | Page 2 | FWCloud Forum

Docker not working after firewall deployed

KAI

Member
That works



root@46c7091f2789:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=2.19 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=2.10 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=2.18 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=114 time=2.02 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=114 time=2.00 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.995/2.095/2.186/0.079 ms
root@46c7091f2789:/#
 

Carles Munyoz

Administrator
Staff member
Ok, then the problem is in the name resolution.
Maybe you have to enable access to the DNS service in the INPUT chain of your host and coming from the Docker interface.
Can you test it ?
 

KAI

Member
Over 60hrs spent looking at this docker DNS issue with not progress. Even adding DNS service in the INPUT chain of the host and coming from the Docker interface did not work. Any he;p would be appreciated.
 

Carles Munyoz

Administrator
Staff member
You have to analyze where your DNS traffic is being sent and where is it stopped.
For it you can use network traffic analysis tools like tcpdump.

For example, you can use the next tcpdump command for see all the DNS traffic coming from your Docker container:
Bash:
tcpdump -n -i docker0 port 53

Can you use this command in your host server and then run a command in the Docker container that generates DNS traffic. For example, this one:
Bash:
ping google.com

Please, copy here the output of the tcpdump command and I will continue helping you in the resolution of your problem.
 

KAI

Member
root@test-fwcloud-u20:~# tcpdump -n -i docker0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:20:03.702307 IP 172.17.0.2.59838 > 192.168.1.1.53: 9004+ A? google.com. (28)
19:20:03.702619 IP 172.17.0.2.59838 > 192.168.1.1.53: 10011+ AAAA? google.com. (28)
19:20:08.707825 IP 172.17.0.2.59838 > 192.168.1.1.53: 9004+ A? google.com. (28)
19:20:08.707922 IP 172.17.0.2.59838 > 192.168.1.1.53: 10011+ AAAA? google.com. (28)
 

Carles Munyoz

Administrator
Staff member
As you can see in the supplied traffic sample, your Docker container is trying to access the DNS server with IP 192.168.1.1, which is located in your LAN.
You have to allow this traffic in your FORWARD policy.

This is your current FORWARD policy:
Captura de pantalla 2022-12-21 a las 8.28.01.png

You must add a new FORWARD rule before the rule number 2 like tis:
IN: docker0
OUT: ens18 (LAN)
SOURCE: Docker-Network
DESTINATION: 192.168.1.1 (this is the IP of your DNS server)
SERVICE: DNS (UDP)
ACTION: Accept

With this your Docker container should be able to resolve DNS requests.

Can you test it and confirm me if it works?
 

KAI

Member
FINALLY - That worked. Thanks

root@46c7091f2789:/# ping google.com
PING google.com (142.250.138.139) 56(84) bytes of data.
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=1 ttl=55 time=4.02 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=2 ttl=55 time=4.09 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=3 ttl=55 time=3.92 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=4 ttl=55 time=6.12 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=5 ttl=55 time=4.13 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=6 ttl=55 time=4.12 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=7 ttl=55 time=3.90 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=8 ttl=55 time=4.23 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=9 ttl=55 time=4.05 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=10 ttl=55 time=4.12 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=11 ttl=55 time=4.13 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=12 ttl=55 time=3.93 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=13 ttl=55 time=4.14 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=14 ttl=55 time=4.14 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=15 ttl=55 time=3.82 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=16 ttl=55 time=3.91 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=17 ttl=55 time=3.81 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=18 ttl=55 time=3.87 ms
64 bytes from rw-in-f139.1e100.net (142.250.138.139): icmp_seq=19 ttl=55 time=4.03 ms

--- google.com ping statistics ---
19 packets transmitted, 19 received, 0% packet loss, time 18029ms
rtt min/avg/max/mdev = 3.809/4.129/6.122/0.484 ms
root@46c7091f2789:/#
 
Top