Unable to activate direct access to addon

[spetrenko]

Problem/Motivation

I just tried to avoid the problem with HTTP 401 response while accessing graphs via ingress.

Expected behavior

Addon is running and I am able to access it using ingress and preliminary specified port(3000) as well.

Actual behavior

Addon is not started at all. And I see following error in the logs:

20-02-13 14:28:48 ERROR (SyncWorker_4) [hassio.docker] Can't start addon_a0d7b954_grafana: 500 Server Error: Internal Server Error ("driver failed programming external connectivity on endpoint addon_a0d7b954_grafana (aff17550576f96d77082849df45add5c8e09e9cfa5323157167409a5578f2bb0): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3000 -j DNAT --to-destination 172.30.33.1:80 ! -i hassio: iptables: No chain/target/match by that name. (exit status 1))")

Steps to reproduce

Just set custom port and restart addon.

Software revision

Docker: 19.03.5 Home Assistant: 0.105.3 Grafana: 4.1.0

[addons-assistant[bot]]

:wave: Thanks for opening your first issue here! If you're reporting a :bug: bug, please make sure you include steps to reproduce it. Also, logs, error messages and information about your hardware might be useful.

[sinclairpaul]

What Operating System do you run?

[spetrenko]

sergiy@home:~$ uname -a Linux home 5.4.0-2-amd64 #1 SMP Debian 5.4.8-1 (2020-01-05) x86_64 GNU/Linux sergiy@home:~$ cat /etc/os-release PRETTY_NAME="Debian GNU/Linux bullseye/sid" NAME="Debian GNU/Linux" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

[sinclairpaul]

The issue is Docker failing to specify the port, it isn't an issue with the addon itself but with Docker and iptables.

[frenck]

hassio: iptables: No chain/target/match by that name.

That sounds really bad, do you have custom firewall rules or something that manages your iptables?

If so, that would collide with the Supervisor.

[spetrenko]

Well, yes I have custom rules, since the server is a gateway. And I need to protect my external interface(enp5s0). Here they are:

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o enp5s0 -j MASQUERADE COMMIT

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 3000 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 8112 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 8123 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 9000 -j ACCEPT -A INPUT -i enp5s0 -p tcp -m tcp --dport 50000:50100 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i enp5s0 -j DROP COMMIT

[spetrenko]

The issue is Docker failing to specify the port, it isn't an issue with the addon itself but with Docker and iptables.

Thank You for the swift support. I will try to figure out what that might be.

[frenck]

Well, I understand, but it seems like you've dropped the hassio chain in the process...

[spetrenko]

Well, I understand, but it seems like you've dropped the hassio chain in the process...

It seems so..... Thank You!

[addons-assistant[bot]]

This thread has been automatically locked because it has not had recent activity. Please open a new issue for related bugs and link to relevant comments in this thread.