Can't run docker containers only local

[mhellmeier]

I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. To test this, I login to the remote server with ssh admin@mydomain.com -L 8000:127.0.0.1:8000.

If I am starting my container with -p 8000:8000, the port 8000 is exposed to the whole world (I can access it in a browser with mydomain.com:8000, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000 I can't access it over mydomain.com:8000 (which is great), but in both cases calling localhost:8000 will result in an ERR_EMPTY_RESPONSE error in Chrome or curl: (52) Empty reply from server in the terminal from my local machine. Executing curl localhost:8000 directly on the server will result in curl: (56) Recv failure: Connection reset by peer. This means that the servers hosts system can't connect to the docker container when using 127.0.0.1.

Tried it with different containers and different ports. After disabling csf, it works without the errors so it must be related to a csf docker configuration problem.

[mhellmeier]

@juli3nk : Is there any plan or workaround to get rid of this problem?

[UtkuKaynak]

I have same exact issue, with the script, when docker is exposed 0.0.0.0, I can access from outside, but getting connection reset by peer while accessing through localhost. Limited docker to 127.0.0.1 and restarted csf, which prevented access from outside as expected but accessing through local host is still the same error, connection reset by peer @mhellmeier I know it was 5 years before, but were you able to find a solution to this problem?

[mhellmeier]

Since I changed my whole configuration with another reverse proxy, I can't tell you how to solve the problem anymore. Sorry.

In the past, the following tutorial worked pretty well:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

A good look at solving the issue. If you found the solution, it would be beneficial if you could share it here with the community.

[UtkuKaynak]

after I wrote the message, I did more digging and found a solution, which I dont like much. Trying to find a better solution but seems like there is no other way. Before explaining the solution, let me brief about the issues before I forget the whole story :).

Docker sets up its own rules everytime a container is started or stopped, some in filter table some in nat table, not all of them are in Docker specific chains which makes it pretty much impossible to find out which rules are set by docker. Also due to some conflict with default CSF rules (I couldnt find out exactly what), the containers are not accessible locally.

On top of this, when CSF restarts, it flushes all chains and sets them again based on its own configuration, which ofcourse removes all the rules set by docker also. And there is no way to execute a script before CSF flushes everything where we could get a backup of existing rules. So you also end up needing to restart docker after CSF is restarted.

So the solution is, in csfpost script, we need to restart docker service, and right after that add few additional rules. Also, in the docker compose scripts, we can add a post-start command (https://docs.docker.com/compose/how-tos/lifecycle/), where we can execute the same script to add those same additional rules, but this time without restarting docker service (otherwise it would end up in an infinite loop of docker and csf restarts :) )

I'll try to write a blog post once I finalize the script, its already working but need some clean up etc.