Closed F0xedb closed 4 years ago
heyho,
I recently had a similar issue. The problem was a too restrictive firewall. It considered requests from docker containers as from external incoming traffic and blocked it.
Do you have ufw
or a similar firewall running?
maybe you can share use the output of the iptables-save
command?
Hello,
Thanks for replying!
Yes, I do have ufw
running.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Nginx Full ALLOW Anywhere
16384:32768/udp ALLOW Anywhere
Turnserver ALLOW Anywhere
OpenSSH ALLOW Anywhere
16384:32768/udp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
And the output of the requested iptables-save
command
$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Fri Jul 31 09:11:03 2020
*nat
:PREROUTING ACCEPT [169238:9651113]
:INPUT ACCEPT [20732:790170]
:OUTPUT ACCEPT [196294:11840609]
:POSTROUTING ACCEPT [196454:11850241]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 10.7.7.0/24 ! -o br-ae69b3bcfc23 -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-fb3eb9181d0e -j MASQUERADE
-A POSTROUTING -s 172.26.0.0/16 ! -o br-0a4efc3283d9 -j MASQUERADE
-A POSTROUTING -s 172.16.242.0/24 ! -o br-fabcd6fbaaea -j MASQUERADE
-A POSTROUTING -s 172.24.0.0/16 ! -o br-75549ff60419 -j MASQUERADE
-A POSTROUTING -s 172.16.240.0/24 ! -o br-7502b342cd31 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.48.0/20 ! -o br-5e21de32916c -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/20 ! -o br-10419e7066ad -j MASQUERADE
-A POSTROUTING -s 192.168.16.0/20 ! -o br-0d38d810a87b -j MASQUERADE
-A POSTROUTING -s 10.7.7.5/32 -d 10.7.7.5/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.0.3/32 -d 172.22.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 10.7.7.10/32 -d 10.7.7.10/32 -p tcp -m tcp --dport 3008 -j MASQUERADE
-A DOCKER -i br-ae69b3bcfc23 -j RETURN
-A DOCKER -i br-fb3eb9181d0e -j RETURN
-A DOCKER -i br-0a4efc3283d9 -j RETURN
-A DOCKER -i br-fabcd6fbaaea -j RETURN
-A DOCKER -i br-75549ff60419 -j RETURN
-A DOCKER -i br-7502b342cd31 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-5e21de32916c -j RETURN
-A DOCKER -i br-10419e7066ad -j RETURN
-A DOCKER -i br-0d38d810a87b -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-ae69b3bcfc23 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 10.7.7.5:6379
-A DOCKER -d 10.7.7.1/32 ! -i br-fb3eb9181d0e -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.22.0.3:80
-A DOCKER -d 127.0.0.1/32 ! -i br-ae69b3bcfc23 -p tcp -m tcp --dport 3008 -j DNAT --to-destination 10.7.7.10:3008
COMMIT
# Completed on Fri Jul 31 09:11:03 2020
# Generated by iptables-save v1.6.0 on Fri Jul 31 09:11:03 2020
*filter
:INPUT DROP [147872:8825622]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8:344]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-ae69b3bcfc23 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ae69b3bcfc23 -j DOCKER
-A FORWARD -i br-ae69b3bcfc23 ! -o br-ae69b3bcfc23 -j ACCEPT
-A FORWARD -i br-ae69b3bcfc23 -o br-ae69b3bcfc23 -j ACCEPT
-A FORWARD -o br-fb3eb9181d0e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fb3eb9181d0e -j DOCKER
-A FORWARD -i br-fb3eb9181d0e ! -o br-fb3eb9181d0e -j ACCEPT
-A FORWARD -i br-fb3eb9181d0e -o br-fb3eb9181d0e -j ACCEPT
-A FORWARD -o br-0a4efc3283d9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-0a4efc3283d9 -j DOCKER
-A FORWARD -i br-0a4efc3283d9 ! -o br-0a4efc3283d9 -j ACCEPT
-A FORWARD -i br-0a4efc3283d9 -o br-0a4efc3283d9 -j ACCEPT
-A FORWARD -o br-fabcd6fbaaea -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-fabcd6fbaaea -j DOCKER
-A FORWARD -i br-fabcd6fbaaea ! -o br-fabcd6fbaaea -j ACCEPT
-A FORWARD -i br-fabcd6fbaaea -o br-fabcd6fbaaea -j ACCEPT
-A FORWARD -i br-3891176bd50f -o br-3891176bd50f -j ACCEPT
-A FORWARD -o br-75549ff60419 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-75549ff60419 -j DOCKER
-A FORWARD -i br-75549ff60419 ! -o br-75549ff60419 -j ACCEPT
-A FORWARD -i br-75549ff60419 -o br-75549ff60419 -j ACCEPT
-A FORWARD -o br-7502b342cd31 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7502b342cd31 -j DOCKER
-A FORWARD -i br-7502b342cd31 ! -o br-7502b342cd31 -j ACCEPT
-A FORWARD -i br-7502b342cd31 -o br-7502b342cd31 -j ACCEPT
-A FORWARD -i br-7e92a10429c1 -o br-7e92a10429c1 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-5e21de32916c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5e21de32916c -j DOCKER
-A FORWARD -i br-5e21de32916c ! -o br-5e21de32916c -j ACCEPT
-A FORWARD -i br-5e21de32916c -o br-5e21de32916c -j ACCEPT
-A FORWARD -o br-10419e7066ad -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-10419e7066ad -j DOCKER
-A FORWARD -i br-10419e7066ad ! -o br-10419e7066ad -j ACCEPT
-A FORWARD -i br-10419e7066ad -o br-10419e7066ad -j ACCEPT
-A FORWARD -o br-0d38d810a87b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-0d38d810a87b -j DOCKER
-A FORWARD -i br-0d38d810a87b ! -o br-0d38d810a87b -j ACCEPT
-A FORWARD -i br-0d38d810a87b -o br-0d38d810a87b -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 10.7.7.5/32 ! -i br-ae69b3bcfc23 -o br-ae69b3bcfc23 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.0.3/32 ! -i br-fb3eb9181d0e -o br-fb3eb9181d0e -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 10.7.7.10/32 ! -i br-ae69b3bcfc23 -o br-ae69b3bcfc23 -p tcp -m tcp --dport 3008 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-ae69b3bcfc23 ! -o br-ae69b3bcfc23 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fb3eb9181d0e ! -o br-fb3eb9181d0e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-0a4efc3283d9 ! -o br-0a4efc3283d9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-fabcd6fbaaea ! -o br-fabcd6fbaaea -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.16.243.0/24 -o br-3891176bd50f -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.16.243.0/24 -i br-3891176bd50f -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i br-75549ff60419 ! -o br-75549ff60419 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7502b342cd31 ! -o br-7502b342cd31 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.16.241.0/24 -o br-7e92a10429c1 -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.16.241.0/24 -i br-7e92a10429c1 -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5e21de32916c ! -o br-5e21de32916c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-10419e7066ad ! -o br-10419e7066ad -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-0d38d810a87b ! -o br-0d38d810a87b -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-ae69b3bcfc23 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fb3eb9181d0e -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-0a4efc3283d9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-fabcd6fbaaea -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-75549ff60419 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7502b342cd31 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5e21de32916c -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-10419e7066ad -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-0d38d810a87b -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 80,443 -m comment --comment "\'dapp_Nginx%20Full\'" -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 16384:32768 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 3478,3479,5349,5350,49152:65535 -m comment --comment "\'dapp_Turnserver\'" -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 3478,3479,5349,5350,49152:65535 -m comment --comment "\'dapp_Turnserver\'" -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
Thanks for the quick reply!
does it work as soon as you disable ufw?
sudo ufw disable
if yes, then we got the issue! :) probably something like following should fix it
ufw allow from 10.7.7.0/24
- name: Allow all local traffic
ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Thanks this fixed everything!
I got Issues with audio on safari when runing on EC2:
html5_1 | error: {"logCode":"sipjs_ice_failed_before","logDescription":"ICE connection failed before success","connectionId":"3pggh8KAoEBoTGQoo","extraInfo":{"callerIdName":"w_ti4ayjqaxejn_1-bbbID-Administrator","clientURL":"https://*/html5client/join?sessionToken=87lhg9irjiysmxeo","validUser":"valid"},"userInfo":{"sessionToken":"87lhg9irjiysmxeo","meetingId":"34d67b98e2731e0bb4804d556434458293ba31ef-1596875877030","requesterUserId":"w_ti4ayjqaxejn","fullname":"Administrator","confname":"Home Room","externUserID":"gl-nbncvlhnevir","uniqueClientSession":"87lhg9irjiysmxeo-zwer57r"}}
html5_1 | error: {"logCode":"sipjs_ice_failed_before","logDescription":"ICE connection failed before success","connectionId":"3pggh8KAoEBoTGQoo","extraInfo":{"callerIdName":"w_ti4ayjqaxejn_1-bbbID-Administrator","clientURL":"https://*/html5client/join?sessionToken=87lhg9irjiysmxeo","validUser":"valid"},"userInfo":{"sessionToken":"87lhg9irjiysmxeo","meetingId":"34d67b98e2731e0bb4804d556434458293ba31ef-1596875877030","requesterUserId":"w_ti4ayjqaxejn","fullname":"Administrator","confname":"Home Room","externUserID":"gl-nbncvlhnevir","uniqueClientSession":"87lhg9irjiysmxeo-zwer57r"}}
But it working on chrome!
I disabled ufw:
$ sudo ufw status Status: inactive
And all TCP, UDP port open.
When following the documentation I was successful in setting up a BigBlueButton instance. However, during testing, I noticed some issues. I was unable to join a room with audio, BigBlueButton kept running the
Connecting to echo test
phase (I do hear myself speak) When I select the option to only listen I am able to join a room. However, in this scenario, I can only do things with the presentation and chat. Screen, Audio and Webcam are not working.I did some debugging but was unable to resolve the issue. I noticed some errors in the docker logs.
It looks like
webrtc-sfu
is unable to connect to FreeSwitch and there is another issue withbbb-fsesl-akka
If I curl this IP (10.7.7.1:8082) manually from the host I get the following response so something is running on that port
Looking at the output of
compose ps
everything seems normalAs for the browser side of things BBB gives the following error message when trying to stream a video
And in the console
As for the echo test, the console gives the following output
It seems the audio can connect to the WebSocket after it failed (this keeps happening in a loop)
I am lost as to why these things are happening and I'm hoping you know what has been configured wrongly.
Thanks for reading this ❤️