I've got the following problem:
My Router (FritzBox) is set to forward all incomming traffic (via exposed host) to my Server (192.168.0.1)
I have a HAProxy running on a lxc container (192.168.0.100) which is forwarding http traffic to some other lxc containers - this is working fine.
The problem is, when I run the following command (curl to my proxy) I get the right answer back:
curl --verbose --header 'Host: myrealdomain.tld' http://192.168.0.100
* Rebuilt URL to: http://192.168.0.100/
* Trying 192.168.0.100...
* Connected to 192.168.0.100 (192.168.0.100) port 80 (#0)
> GET / HTTP/1.1
> Host: murdr.eu
> User-Agent: curl/7.47.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0
But when running the same command (curl to my server which should forward the traffic to the Proxy) I can't connect, because the connection is refused:
curl --verbose --header 'Host: myrealdomain.tld' http://192.168.0.1
* Rebuilt URL to: http://192.168.0.1/
* Trying 192.168.0.1...
* connect to 192.168.0.1 port 80 failed: Connection refused
* Failed to connect to 192.168.0.1 port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.0.1 port 80: Connection refused
(myrealdomain.tld is replaced with my real domain, here I changed it for security reasons)
Here are my iptables (I've tested various things and flushed then often, but nothing was working).
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
iptables -S (as asked by Luke Mlsna)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
apache2 was running on my server. but I deleted it after setting up the proxy container and the iptables.
here are the open ports, no port 80
lsof -i -P -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 938 systemd-network 19u IPv6 33240 0t0 UDP [fe80::f64d:30ff:fe66:8010]:546
systemd-r 980 systemd-resolve 12u IPv4 22967 0t0 UDP 127.0.0.53:53
systemd-r 980 systemd-resolve 13u IPv4 22968 0t0 TCP 127.0.0.53:53 (LISTEN)
nmbd 1108 root 15u IPv4 22474 0t0 UDP *:137
nmbd 1108 root 16u IPv4 22475 0t0 UDP *:138
nmbd 1108 root 17u IPv4 38559 0t0 UDP 192.168.0.1:137
nmbd 1108 root 18u IPv4 38560 0t0 UDP 192.168.1.255:137
nmbd 1108 root 19u IPv4 38561 0t0 UDP 192.168.0.1:138
nmbd 1108 root 20u IPv4 38562 0t0 UDP 192.168.1.255:138
sshd 1200 root 3u IPv4 25135 0t0 TCP *:22 (LISTEN)
sshd 1200 root 4u IPv6 25137 0t0 TCP *:22 (LISTEN)
lxd 1273 root 13u IPv6 27850 0t0 TCP *:8443 (LISTEN)
mysqld 1501 mysql 39u IPv4 27943 0t0 TCP 127.0.0.1:3306 (LISTEN)
smbd 3606 root 32u IPv6 37803 0t0 TCP *:445 (LISTEN)
smbd 3606 root 33u IPv6 37804 0t0 TCP *:139 (LISTEN)
smbd 3606 root 34u IPv4 37805 0t0 TCP *:445 (LISTEN)
smbd 3606 root 35u IPv4 37806 0t0 TCP *:139 (LISTEN)
sshd 6140 root 3u IPv4 59450 0t0 TCP 192.168.0.1:22->192.168.0.43:62339 (ESTABLISHED)
sshd 6350 unicorn 3u IPv4 59450 0t0 TCP 192.168.0.1:22->192.168.0.43:62339 (ESTABLISHED)
I'm sending my traffic now directly to HAProxy from my router, no server in between. Working as a charm!