it's my first post here, let's hope i'll do ok!
I'm migrating to a new vps, and it runs on CentOS Linux release 7.9.2009 (Core), and unfortunatelly the host wont allow me to change to a distro that i'm more familiar, like debian, without loosing the license for cpanel/whm provided by them.
I'm not a devops guy, i'm a frontend developer, so i don't have a lot of knowledge and experience on this, and i simply wanted to install docker and run a few containers.
The problem is that all the containers are unable to resolve any dns. They ping to any ip just fine, but whatever domain tried just gives me a "Bad Address".
On the host side, everything works just fine, and the resolv.conf created on the containers are exactly the same as the host's original file.
search hostgator_br.com
nameserver 8.8.8.8
nameserver 8.8.4.4
If i run the containers with --network host, the dns works.
I already tried a few things that i've found while researching this, like looking for firewall definitions (firewall-cmd isn't even installed), and trying to force different dns settings on the daemon.json, but the problem seems to be related to something else like the docker bridge interface created (docker0)
I really have no idea on what else i should try, and i've already lost an entire day on this without any kind of progress =/
Please, help this newbie on archieving this somewhat simple goal.
UPDATE
If i disable iptables, everything works perfectly, so it's probably some rule preventing dns resolution, but i have no idea on what rule is, and how to fix it.
This is the result of
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- bl16-114-196.dsl.telepac.pt anywhere
ACCEPT all -- wz.hostgator.com.br anywhere /* allow Wizard/Eigsh */
ACCEPT all -- financeiro.hostgator.com.br anywhere /* allow Painel */
ACCEPT all -- anywhere anywhere /* Inbound Allow lo */
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmps:65534
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
input_custom all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 2/sec burst 10 mode srcip
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 5/min burst 5 LOG level error prefix "ICMP_DROP "
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp host-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmptype 30
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- 173.245.48.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 103.21.244.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 103.22.200.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 103.31.4.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 141.101.64.0/18 anywhere tcp dpt:http
ACCEPT tcp -- 108.162.192.0/18 anywhere tcp dpt:http
ACCEPT tcp -- 190.93.240.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 188.114.96.0/20 anywhere tcp dpt:http
ACCEPT tcp -- 197.234.240.0/22 anywhere tcp dpt:http
ACCEPT tcp -- 198.41.128.0/17 anywhere tcp dpt:http
ACCEPT tcp -- 162.158.0.0/15 anywhere tcp dpt:http
ACCEPT tcp -- 104.16.0.0/13 anywhere tcp dpt:http
ACCEPT tcp -- 104.24.0.0/14 anywhere tcp dpt:http
ACCEPT tcp -- 172.64.0.0/13 anywhere tcp dpt:http
ACCEPT tcp -- vps-10665803.pjinformatica.org anywhere tcp dpt:http
ACCEPT tcp -- 198-1-121-202.unifiedlayer.com anywhere multiport dports ssh,http
ACCEPT icmp -- 198-1-121-202.unifiedlayer.com anywhere icmp echo-request
ACCEPT tcp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
ACCEPT icmp -- 54.e2.adb8.ip4.static.sl-reverse.com anywhere icmp echo-request
ACCEPT tcp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere multiport dports ssh,http
ACCEPT icmp -- 32.e0.acb8.ip4.static.sl-reverse.com anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:26
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere tcp dpt:sunclustergeo
ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere tcp dpt:eli
ACCEPT tcp -- anywhere anywhere tcp dpt:sep
ACCEPT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:22022
ACCEPT udp -- anywhere anywhere udp dpt:22022
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT udp -- anywhere anywhere udp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "LOG_INPUT: "
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* Outbound allow lo */
ACCEPT udp -- anywhere anywhere udp dpt:323 /* chronyd */
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mail
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner UID match root
tcpchk tcp -- anywhere anywhere
udpchk udp -- anywhere anywhere
output_custom all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere 198-1-121-202.unifiedlayer.com icmp echo-reply
ACCEPT icmp -- anywhere 54.e2.adb8.ip4.static.sl-reverse.com icmp echo-reply
ACCEPT icmp -- anywhere 32.e0.acb8.ip4.static.sl-reverse.com icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpt:saphostctrls
ACCEPT tcp -- anywhere anywhere tcp dpt:saphostctrls
ACCEPT udp -- anywhere anywhere udp dpt:30000
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmps
ACCEPT udp -- anywhere anywhere udp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT udp -- anywhere anywhere udp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:rsync
ACCEPT udp -- anywhere anywhere owner UID match root
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere gateway07.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway03.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway04.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway05.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway06.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway09.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway10.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway11.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway12.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway13.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway14.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway15.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway16.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway02.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway01.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere gateway08.websitewelcome.com tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp owner UID match mailnull
LOG tcp -- anywhere anywhere ! owner UID match root multiport dports smtp,urd,submission limit: avg 1/sec burst 5 LOG level notice prefix "OUTBOUND-SMTP : "
ACCEPT udp -- anywhere anywhere udp dpt:domain ! owner UID match nobody
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ! owner UID match nobody
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp dpt:domain owner UID match nobody limit: avg 20/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere tcp dpt:eli
ACCEPT tcp -- anywhere anywhere tcp dpt:sep
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:time
ACCEPT tcp -- anywhere anywhere tcp dpt:sms-chat
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:22022
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt:26
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT tcp -- anywhere anywhere tcp spt:imap
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:urd
ACCEPT tcp -- anywhere anywhere tcp spt:submission
ACCEPT tcp -- anywhere anywhere tcp spt:infowave
ACCEPT tcp -- anywhere anywhere tcp spt:radsec
ACCEPT tcp -- anywhere anywhere tcp spt:sunclustergeo
ACCEPT tcp -- anywhere anywhere tcp spt:gnunet
ACCEPT tcp -- anywhere anywhere tcp spt:eli
ACCEPT tcp -- anywhere anywhere tcp spt:sep
ACCEPT tcp -- anywhere anywhere tcp spt:EtherNet/IP-1
ACCEPT tcp -- anywhere anywhere tcp spt:nbx-ser
ACCEPT tcp -- anywhere anywhere tcp spt:nbx-dir
ACCEPT tcp -- anywhere anywhere tcp spt:imaps
ACCEPT tcp -- anywhere anywhere tcp spt:pop3s
ACCEPT tcp -- anywhere 10.0.0.0/8 tcp dpt:50905
ACCEPT tcp -- anywhere anywhere tcp dpt:hbci
ACCEPT udp -- anywhere anywhere udp dpt:hbci
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:webcache
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "LOG_OUTPUT: "
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
DROP all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain icmpchk (0 references)
target prot opt source destination
Chain input_custom (1 references)
target prot opt source destination
Chain output_custom (1 references)
target prot opt source destination
Chain ssh (0 references)
target prot opt source destination
ACCEPT all -- supra.websitewelcome.com anywhere
ACCEPT all -- ce.2f.1732.ip4.static.sl-reverse.com anywhere
ACCEPT all -- wizard-backup.hostgator.com anywhere
ACCEPT all -- 216-106-185-169.ds1-static.mia1.net.ststelecom.com anywhere
ACCEPT all -- 12.96.160.0/24 anywhere
ACCEPT all -- 216.19.0.0/24 anywhere
ACCEPT all -- 162-241-18-61.unifiedlayer.com anywhere
ACCEPT all -- 162-214-41-61.unifiedlayer.com anywhere
tcp -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
LOG tcp -- anywhere anywhere state NEW recent: CHECK seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255 limit: avg 10/min burst 5 LOG level notice prefix "SSH-ATTACK : "
REJECT tcp -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 10 name: DEFAULT side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere
Chain tcpchk (3 references)
target prot opt source destination
Chain udpchk (3 references)
target prot opt source destination
bridge
network doesn't have intra-container DNS, but it should still be resolving internet addresses. Have you considered just creating a network and assigning them all to that withdocker run --network yourNetworkName ...
? Alternatively a network will be created for each Docker composition, so have you tried to create adocker-compose.yml
file from which to launch them?