5

I need to xdebug something that fails on the server in a docker container and from my laptop I have ran ssh -R 9000:localhost:9000 server and verified the tunnel by telnet localhost 9000. So far so good, I got a connection.

Now, on the server I did 

iptables -t nat -I PREROUTING -p tcp -d 172.17.42.1 --dport 9000 -j DNAT --to 127.0.0.1:9000

Finally I have committed the problematic docker instance and ran 

docker run  --net=host -t  -i snapshot /bin/bash

Inside the container telnet 172.17.42.1 9000 refuses connection.

2 Answers2

3

I ran into this same issue, except I had two containers wired together with --link, so --net=host wont work for that situtaiton.

When doing an ssh port forward to the remote host using ssh -R 9000:localhost:9000 server, an lsof -P -i -n may show that the port is bound to the servers loopback device, which looks like this:

sshd 39172 ubuntu 9u IPv4 2941407 0t0 TCP ::1:9000 (LISTEN)

That loopback interface is not available to the network inside of the docker container. I remedied this by adding GatewayPorts yes to the sshd_config file on the server and restarting sshd.

The forwarded port 9000 is then bound to the normal interface and available from inside the docker container. (and from any other host for that matter).

Mixologic
  • 166
0

@barlop 's comment has proven very helpful. I have deleted the iptables rule then I tried to run nc -l -p 1234 and then nc -l 127.0.0.1 -p 1234 and then in the container I tried telnet localhost 1234 and it worked. So I tried telnet localhost 9000 and it also worked! I think it didn't before but it seems it does now. So: no need for any iptables rules, it just works with --net=host. However, lsof -i :9000 still doesn't display anything and it's possible I only tested with that before.

Edit: netstat -anl |grep :9000 in the container shows the open port as LISTEN. lsof does not. Weird.