I have a webserver on my MacBook in my home network behind a NAT, serving on port 80. I also have a publicly accessible server running Ubuntu, from which I want to access my local webserver, so I open a remote SSH tunnel:
ssh -fnNT -R 8080:localhost:80 remote-host
It works. On the remote machine, I can curl localhost:8080
and get the expected answer.
But when I try this from inside a docker container, for example:
docker run -it --add-host host.docker.internal:host-gateway ubuntu:latest /bin/bash
# curl -vvv host.docker.internal:8080
* connect to 172.17.0.1 port 8080 failed: Connection timed out
"Solutions" I found elsewhere, like using the --network host
docker option or having the tunnel listen on all interfaces (ssh -R 0.0.0.0:8080:localhost:80
) are not an option due to security concerns.
Accessing any other port on the host system from inside the container is not a problem, like curl host.docker.internal:80
results in a response from the hosts' Caddy server.
I tried to set a firewall rule iptables -I INPUT -i docker0 -j ACCEPT
(without really understanding what this does) but this changes nothing.
I tried making sure packet forwarding for IPv6 is enabled (net.ipv6.conf.all.forwarding=1
in /etc/sysctl.conf
) and also to have the tunnel only bind to the IPv4 address (using the -4
option), but no luck.
I tried to use the IP of the docker0
interface as a bind_address for the tunnel (ssh -R 172.17.0.1:8080:localhost:80
, having of course set GatewayPorts clientspecified
in sshd_config). I can then curl 172.17.0.1:8080
from the host system successfully, but still not from inside the container.
A possible complication is that I'm using ufw
on the server, allowing in only traffic on ports 80, 443 and my SSH port. When I sudo ufw disable
, the above curl requests terminates with Connection refused
instead of timed out
, which I found interesting.
I feel like I'm close. Maybe there is an iptables filter that I can set to make this work? I don't have any experience with iptables. How would a request from inside a container to a tunneled port on the hostsystem be classified, is it going in, or out? Any other ideas to debug this problem?