no communication between docker containers

[arenevier]

Hi,

I have ufw installed with no extra configuration. I tried to follow the instructions. According to https://github.com/chaifeng/ufw-docker/#how-it-works,

The following rules allow the private networks to be able to visit each other

my understanding is that docker containers should be able to communicate with access each other.

I have dockerA which contains a reverse proxy from to another service running in dockerB. When dockerA tries to connect to dockerB, the connection is blocked.

Logs show:

[UFW BLOCK] IN=br-d3c6d78ed61b OUT= PHYSIN=veth0728c11 MAC=02:42:54:5b:9b:aa:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44854 DF PROTO=TCP SPT=40668 DPT=3040 WINDOW=64240 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=br-d3c6d78ed61b OUT= PHYSIN=veth0728c11 MAC=02:42:54:5b:9b:aa:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44855 DF PROTO=TCP SPT=40668 DPT=3040 WINDOW=64240 RES=0x00 SYN URGP=0

[chaifeng]

Could you use Vagrantfile to reproduce this issue? Post your patch here.

[arenevier]

Here is the output of vagrant up for me.

output.txt

[chaifeng]

Here is the output of vagrant up for me.

output.txt

It seems okay.

You can run command vagrant ssh master log into the master node.

Inside the master node, find the IP Address of container public_webapp first. Run command docker inspect public_webapp | grep IPAddress, for example it's 172.17.0.3

Use command docker exec -it local_webapp /bin/sh to log into the local_webapp container.

Inside local_webapp container, run the following command:

• apk update
• apk add curl
• curl -v http://172.17.0.3, we can see the output starts with public_webapp, if we can access public_webapp from inside local_webapp

You can modify Vagrantfile to reproduce your problem, after line 186.

[arenevier]

yes. Curl seems to be working fine inside local_webapp.

I'm not sure you mean by You can modify Vagrantfile to reproduce your problem.

Just to be clear: in my case, I don't want dockerB to be fully public (open to the external world). Just to be accessible from the other dockers.

* processing: http://172.17.0.3
*   Trying 172.17.0.3:80...
* Connected to 172.17.0.3 (172.17.0.3) port 80
> GET / HTTP/1.1
> Host: 172.17.0.3
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 04 Aug 2023 19:09:18 GMT
< Server: Apache/2.4.57 (Unix)
< Last-Modified: Fri, 04 Aug 2023 18:58:52 GMT
< ETag: "1b-6021d7cd8ed2f"
< Accept-Ranges: bytes
< Content-Length: 27
< Content-Type: text/html
< 
public_webapp a85f2b93d9f2
* Connection #0 to host 172.17.0.3 left intact

[chaifeng]

If you can use Vagrantfile to reproduce your issue, then I can also find the problem inside the VM by just using command vagrant up and logging into the VM.

In the current Vagrant VM, we can also access local_webapp from inside public_webapp. You can give it a try.

[arenevier]

Nevermind. Actually, I am connecting from one docker to the other via the host gateway, and not directly.

I was able to allow those connections with ufw allow from 172.16.0.0/12 proto tcp to 172.17.0.1

Thank you for the help and pointers, and sorry for the confusion.

Feel free to close the issue.

[chaifeng]

You're welcome

[tylercollier]

Thanks @arenevier! How else could containers talk to the host? Glad I'm came across your answer.