I have deployed a simple Flask server in a docker container. The app accepts connections on port 7005 and I have exposed the port 7005 on docker. I can see the docker is actively blocking connections but I couldn't figure out the reason.
I have tried adding ACCEPT for DOCKER-USER chain for port 7005; changed policy to ACCEPT for all FORWARD; disabled ufw - but no way to access the flask app.
The Docker run log:
sudo docker run --gpus all -p 7005:7005 simplify:1.0
* Serving Flask app 'app' (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
tshark packet capture:
sudo tshark 'tcp port 7005'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
1 0.000000000 172.17.0.1 → 172.17.0.2 TCP 74 43230 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584425 TSecr=0 WS=128
2 0.000052241 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43230 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 0.003889881 172.17.0.1 → 172.17.0.2 TCP 74 43234 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584429 TSecr=0 WS=128
4 0.003934021 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43234 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
^C4 packets captured
iptables policies:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
You've bound the server onto the localhost binding in the container.
You'll need to bind it to 0.0.0.0:7005 in the container so it can be -published.