no communication between docker containers

chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables

GNU General Public License v3.0

4.31k stars 369 forks source link

no communication between docker containers #105

Open arenevier opened 1 year ago

arenevier commented 1 year ago

Hi,

I have ufw installed with no extra configuration. I tried to follow the instructions. According to https://github.com/chaifeng/ufw-docker/#how-it-works,

The following rules allow the private networks to be able to visit each other

my understanding is that docker containers should be able to communicate with access each other.

I have dockerA which contains a reverse proxy from to another service running in dockerB. When dockerA tries to connect to dockerB, the connection is blocked.

Logs show:

[UFW BLOCK] IN=br-d3c6d78ed61b OUT= PHYSIN=veth0728c11 MAC=02:42:54:5b:9b:aa:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44854 DF PROTO=TCP SPT=40668 DPT=3040 WINDOW=64240 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=br-d3c6d78ed61b OUT= PHYSIN=veth0728c11 MAC=02:42:54:5b:9b:aa:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44855 DF PROTO=TCP SPT=40668 DPT=3040 WINDOW=64240 RES=0x00 SYN URGP=0

chaifeng commented 1 year ago

Could you use Vagrantfile to reproduce this issue? Post your patch here.

arenevier commented 1 year ago

Here is the output of vagrant up for me.

output.txt

chaifeng commented 1 year ago

Here is the output of vagrant up for me.

output.txt

It seems okay.

You can run command vagrant ssh master log into the master node.

Inside the master node, find the IP Address of container public_webapp first. Run command docker inspect public_webapp | grep IPAddress, for example it's 172.17.0.3

Use command docker exec -it local_webapp /bin/sh to log into the local_webapp container.

Inside local_webapp container, run the following command:

apk update
apk add curl
curl -v http://172.17.0.3, we can see the output starts with public_webapp, if we can access public_webapp from inside local_webapp

You can modify Vagrantfile to reproduce your problem, after line 186.

arenevier commented 1 year ago

yes. Curl seems to be working fine inside local_webapp.

I'm not sure you mean by You can modify Vagrantfile to reproduce your problem.

Just to be clear: in my case, I don't want dockerB to be fully public (open to the external world). Just to be accessible from the other dockers.

* processing: http://172.17.0.3
*   Trying 172.17.0.3:80...
* Connected to 172.17.0.3 (172.17.0.3) port 80
> GET / HTTP/1.1
> Host: 172.17.0.3
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 04 Aug 2023 19:09:18 GMT
< Server: Apache/2.4.57 (Unix)
< Last-Modified: Fri, 04 Aug 2023 18:58:52 GMT
< ETag: "1b-6021d7cd8ed2f"
< Accept-Ranges: bytes
< Content-Length: 27
< Content-Type: text/html
< 
public_webapp a85f2b93d9f2
* Connection #0 to host 172.17.0.3 left intact

chaifeng commented 1 year ago

If you can use Vagrantfile to reproduce your issue, then I can also find the problem inside the VM by just using command vagrant up and logging into the VM.

In the current Vagrant VM, we can also access local_webapp from inside public_webapp. You can give it a try.

arenevier commented 1 year ago

Nevermind. Actually, I am connecting from one docker to the other via the host gateway, and not directly.

I was able to allow those connections with ufw allow from 172.16.0.0/12 proto tcp to 172.17.0.1

Thank you for the help and pointers, and sorry for the confusion.

Feel free to close the issue.

chaifeng commented 1 year ago

You're welcome

tylercollier commented 6 months ago

Thanks @arenevier! How else could containers talk to the host? Glad I'm came across your answer.

sharifzadesina commented 3 months ago

I also had this problem, you can't send request from a container to another container inside the same host.

ufw allow from 172.16.0.0/12 this fixed it for me.

Can we add this to the installer?!