2

I'm running a Raspberry Pi and I'm trying to get Pi-hole working. I'm running the container from Podman from a newly created pi-hole user (non root). I published the ports as follows:

- 127.0.0.1:5053:53/tcp
- 127.0.0.1:5053:53/udp
- 127.0.0.1:8080:80

The web dashboard (port 80 in the container) is available on the host on port 8080 and I setup accessing it via Nginx: This is working perfectly already. I specifically make the 53 port available via port 5053 on the host because the pi-hole user can't bind to sub 1024 ports (non root). My plan is to configure ufw to forward packets from host port 53 to 127.0.0.1:5053 but I can't seem to get this setup working.

Currently I can resolve names from within the container and from the host using port 5053 but I get connection refused on the ufw forwarded port:

# Working
> podman exec pi-hole nslookup pi-hole.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   pi-hole.net
Address: 3.18.136.52


Working


> nslookup -port=5053 pi-hole.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#5053


Non-authoritative answer:
Name:   pi-hole.net
Address: 3.18.136.52


Not working


> nslookup pi-hole.net 127.0.0.1
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached

I setup ufw following this guide. I also whitelisted ports in ufw, see this output:

> sudo ufw status
Status: active

To                         Action      From




22/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
53/udp                     ALLOW       Anywhere
53/tcp                     ALLOW       Anywhere
5053                       ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
53/udp (v6)                ALLOW       Anywhere (v6)
53/tcp (v6)                ALLOW       Anywhere (v6)
5053 (v6)                  ALLOW       Anywhere (v6)

I setup the nat rule in /etc/ufw/before.rules like this:

...

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5053
-A PREROUTING -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5053
COMMIT


...

I also tried the following things:

  1. I made sure net/ipv4/ip_forward=1 is present in /etc/ufw/sysctl.conf.
  2. I made sure net.ipv4.ip_forward=1 is present in /etc/sysctl.conf.
  3. I made sure DEFAULT_FORWARD_POLICY="ACCEPT" is present in /etc/default/ufw.
Thomas Kleinendorst
  • 31

1 Answers1

1

I never directly got this solution working as I've used workarounds and went through the following stages:

  1. I specifically used Nginx with a configuration to forward UDP traffic to port 5053.
  2. Later I switched to using Docker instead of Podman (using the same Nginx proxy).
  3. I switched from using the default network mode in Docker to using the host driver. I removed the Nginx proxy and used port 53 directly (allowed here since Docker containers by default run as a sub process of the Docker daemon which runs as root.
  4. In the end I decided to remove the pi-hole container altogether.

Answer

My theory of what went wrong has to do with me mixing Docker/Podman together with directly adding rules to UFW (which uses IPtables and Netfilter as far as I know). The problem is that both Podman and Docker also use Netfilter rules for managing the network traffic being forwarded between the host and containers.

I'm pretty sure the problems are caused by priority issues, etc. It's probably never a good idea to combine both for the network configuration on the host. Instead reading up a bit more in all the different network drivers and options for Podman/Docker allows for more or less the same functionality (as indicated by step 3 above).

Thomas Kleinendorst
  • 31