Docker exposed ports available from host, but not from other machines in iptables restricted container

Question

I have custom container with VPN inside, with following iptables rules inside container:

# Flush all existing rules and chains
iptables -F
iptables -X

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow loopback traffic (localhost)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow vpn to be connected
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

while IFS=' ' read -r host port; do
    iptables -A OUTPUT -o eth0 -p udp --dport $port -d $host -j ACCEPT
done < "/tmp/entries"

iptables -A OUTPUT -o ${VPN_DEVICE} -j ACCEPT

# allow vnc to be connected
iptables -A INPUT -i eth0 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 5800 -m state --state ESTABLISHED -j ACCEPT

# allow deluge to be connected
iptables -A INPUT -i eth0 -p tcp --dport 8112 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 8112 -m state --state ESTABLISHED -j ACCEPT

# allow deluge to access external world
iptables -A INPUT -i ${VPN_DEVICE}  -p tcp --dport 6881:6891 -j ACCEPT
iptables -A OUTPUT -o ${VPN_DEVICE}  -p tcp --dport 6881:6891 -j ACCEPT
iptables -A INPUT -i ${VPN_DEVICE}  -p udp --dport 6881:6891 -j ACCEPT
iptables -A OUTPUT -o ${VPN_DEVICE}  -p udp --dport 6881:6891 -j ACCEPT

whole idea to drop all in/out traffic by default; allow only vpn server output traffic for eth0; allow exposed ports 5800 & 8112 for eth0 to get my services accessible; expose torrent client to external world from VPN device.

Also I have following compose file to bring up container with iptables rules above:

version: "2.1"
services:
  vpn:
    build: ./
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    volumes:
      - ./volumes/vpn-config:/vpn-config
      - ./volumes/deluge-config:/deluge-config
      - ./volumes/downloads:/downloads
      - ./volumes/firefox-profile:/config
      - ./volumes/downloads:/config/downloads
    ports:
      - 40001:5800
      - 40002:8112
    restart: unless-stopped

Main problem here - port 40001 and 40002 working fine from host machine, but does not work from other machines from same network. While other containers exposed ports is fine(tested with nginx hello-world container).

Anything suspicious places here I can change or pay attention to ensure ports 40001 and 40002 are reachable from other machines?

Answer 1

Okay, original problem has nothing about iptables, everything is about routes. Assume I have 192.168.31.0/24 host machine external network.

By default docker adds routes like this:

default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 scope link  src 172.17.0.2

Openvpn then adds something like this, default route through vpn:

0.0.0.0/1 via 1.2.3.4 dev tun0 # this comes from openvpn
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 scope link  src 172.17.0.2

In first case all packets for 192.168.31.0/24 will go to 172.17.0.1 - to host machine, which will re-route it to proper place.

After VPN connected all this traffic will go to 1.2.3.4. It still works for host machine, since 172.17.0.0/16 route exists from docker.

Unfortunately, I don't know elegant route/iptables solution to automatically resolve this issue.

Easy solution is to start proxy server(via additional docker-compose service; http one or TCP, or whatever suitable) to proxy exposed ports to outer world.