Forwarding Docker container port from 8002 to 443 not working
You should not change internally running container port without rebuilding Docker image. EXPOSE command at Dockerfile level is responsible for exposing container's port. You can inspect exposed container ports with command
docker inspect <image-name>
As documentation says, weblogic server runs on TCP/8002 by default.
So, I assume you want to have your container to be accessible on 443, you need to type:
docker run -d -p 443:8002 weblogic
It just NAT-s TCP/443 (on host level) ->TCP/8002 (container namespace level). You can see that in iptables as well.
iptables -t nat -L
It will be visible with:
docker ps
You will see the following text: 0.0.0.0:443->127.0.0.1:8002
Next step. You need to add firewall's (iptables specificly) rule to allow traffic on TCP/443.
So:
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
With that you will configure your system's firewall allow traffic to TCP/443.
One more thing is missing.
You need to configure security group associated with EC2 to allow connections to TCP/443.
Remember, that such deployment cannot be treated as production ready. It misses many things starting from security and certificates management, ending with service auto-restarting.
References:
- https://docs.docker.com/engine/reference/builder/
- http://ipset.netfilter.org/iptables.man.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
- https://docs.docker.com/engine/userguide/networking/default_network/binding/
Greg
Updated on September 18, 2022Comments
-
Greg over 1 year
I am not really familiar with iptables and all the nuances of the different rules. I am in the process of learning but I need this expedited which is why I'm asking here.
I am running a WebLogic container inside Docker on an AWS EC2 instance. The container is running using
docker run -d -p 8002:8002 weblogic. I didn't build the image so there are some things that must stay. I need the WebLogic server to be accessible from the outside on port 443 due to network restrictions, even though it is built to be access through port 8002.I've tried various iptables rules but none of them are successfully forwarding. The container is still accessible on 8002 even with the rules forwarding 8002 -> 443 in place.
Running
RHEL 7.3and the Dockerfile is built for iptables, not firewalld. Some of this stuff I have no control over so I have to work with what I have.One of the iptables commands I tried was:
iptables -t nat -A OUTPUT -p tcp --dport 8002 -j DNAT --to-destination 127.0.0.1:443Note: I do know to run
service iptables save. I can verify the rules exist usingiptables -S.EDIT: Here are my iptables rules currently
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8002 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -
Greg over 6 yearsNeed to test in production environment but seems to work. Thank you very much.
-
Admin over 6 years@Greg Look at my edit please. You cannot treat this deployment as production read.