Firewall nat rules not being formed correctly

kiboro · August 19, 2015, 11:04am

I’m trying the wordpress example from your website and I am having firewall issues. It’s not reading the port mapping properly. In my docker-compose.yml I have:

wordpresslb:
ports:

“8090:80”

but the firewall rule is:

Chain CATTLE_PREROUTING (1 references)
target prot opt source destination
DNAT tcp – anywhere anywhere ADDRTYPE match dst-type LOCAL tcp dpt:8090 to:10.42.248.197:8090

Obviously this isn’t going to work. What am I doing wrong?

kiboro · August 19, 2015, 11:49am

Also if I create a load balancer using the UI and map 8090 to 80 internal it still maps 8090:8090.

Odd

alena · August 19, 2015, 5:08pm

@kiboro What version of Rancher are you on? I can’t reproduce the problem on latest Rancher 0.32 and rancher-compose 0.2.5. Here is my compose file:

wordpresslb:
    image: nginx
    ports:
        - "8090:80"

and here is the rule created on the backend:

-A CATTLE_PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 8090 -j DNAT --to-destination 10.42.205.0:80

If you are on the latest Rancher/rancher-compose, and still see the issue, could you share your entire docker-compose file? Omitting the sensitive info of course

kiboro · August 19, 2015, 5:22pm

rancher 0.31.0 rancher-compose beta/latest

No problem about the compose file as it’s only the test one from your website. I added a port map for wordpress itself and that works correctly. It appears to only be the load balancer where it ignores the internal port. It always maps whatever the external port is to that same port internally. Is it the load balancer image that’s at fault? I’m really new at Docker.

mywordpress:
  ports:
    - "8888:80/tcp"
  tty: true
  image: wordpress
  links:
    database: mysql
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros
wordpresslb:
  ports:
    - "8090:80/tcp"
  tty: true
  image: rancher/load-balancer-service
  links:
    mywordpress: mywordpress
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros
database:
  environment:
    MYSQL_ROOT_PASSWORD: pass1
  tty: true
  image: mysql
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros

vincent · August 19, 2015, 6:25pm

Since we control the balancer it always listens internally on the same ports that it exposes to the host. The 2nd number is used as the default mapping of what port to send traffic to the targets on when it came in on that port. So "8090:80/tcp" on a load balancer means:

Listen on port 8090 on the host
Send traffic coming in on 8090 to the linked containers on port 80 (unless there are further advanced routing options)
mywordpress is listening on 80, so this should work. (The "8888:80/tcp" in its definition is not needed, unless you want to be able to hit it directly without going through the balancer).
Use TCP balancing, not HTTP. You probably want just “8090:80”, as-is you will not get the X-Forwarded-For header or know the request’s original IP.

kiboro · August 20, 2015, 10:33am

Ah, that makes it all clear. Maybe you should add a note to the website about how that works since it’s sort-of misusing the port definition syntax. All seems to be working fine now thanks.

Topic		Replies	Views
Struggling with load balancer Rancher 1.x	3	1377	March 10, 2018
Issue with port binding Rancher 1.x	6	3773	March 29, 2016
Could not make the load balancer work Rancher 1.x	6	2755	September 28, 2015
Issues with rancher, wordpress from the catalog and an external mysql host Rancher 1.x	4	1235	March 2, 2017
Quick Start Guide Issue with Creating a Multi-Container Application Rancher 1.x	9	3374	October 25, 2016

Firewall nat rules not being formed correctly

Related topics