Firewall nat rules not being formed correctly

I’m trying the wordpress example from your website and I am having firewall issues. It’s not reading the port mapping properly. In my docker-compose.yml I have:

wordpresslb:
ports:

  • “8090:80”

but the firewall rule is:

Chain CATTLE_PREROUTING (1 references)
target prot opt source destination
DNAT tcp – anywhere anywhere ADDRTYPE match dst-type LOCAL tcp dpt:8090 to:10.42.248.197:8090

Obviously this isn’t going to work. What am I doing wrong?

Also if I create a load balancer using the UI and map 8090 to 80 internal it still maps 8090:8090.

Odd

@kiboro What version of Rancher are you on? I can’t reproduce the problem on latest Rancher 0.32 and rancher-compose 0.2.5. Here is my compose file:

wordpresslb:
    image: nginx
    ports:
        - "8090:80"

and here is the rule created on the backend:

-A CATTLE_PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 8090 -j DNAT --to-destination 10.42.205.0:80

If you are on the latest Rancher/rancher-compose, and still see the issue, could you share your entire docker-compose file? Omitting the sensitive info of course

rancher 0.31.0 rancher-compose beta/latest

No problem about the compose file as it’s only the test one from your website. I added a port map for wordpress itself and that works correctly. It appears to only be the load balancer where it ignores the internal port. It always maps whatever the external port is to that same port internally. Is it the load balancer image that’s at fault? I’m really new at Docker.

mywordpress:
  ports:
    - "8888:80/tcp"
  tty: true
  image: wordpress
  links:
    database: mysql
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros
wordpresslb:
  ports:
    - "8090:80/tcp"
  tty: true
  image: rancher/load-balancer-service
  links:
    mywordpress: mywordpress
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros
database:
  environment:
    MYSQL_ROOT_PASSWORD: pass1
  tty: true
  image: mysql
  stdin_open: true
  labels:
    io.rancher.scheduler.affinity:host_label: os=rancheros

Since we control the balancer it always listens internally on the same ports that it exposes to the host. The 2nd number is used as the default mapping of what port to send traffic to the targets on when it came in on that port. So "8090:80/tcp" on a load balancer means:

  • Listen on port 8090 on the host
  • Send traffic coming in on 8090 to the linked containers on port 80 (unless there are further advanced routing options)
  • mywordpress is listening on 80, so this should work. (The "8888:80/tcp" in its definition is not needed, unless you want to be able to hit it directly without going through the balancer).
  • Use TCP balancing, not HTTP. You probably want just “8090:80”, as-is you will not get the X-Forwarded-For header or know the request’s original IP.

Ah, that makes it all clear. Maybe you should add a note to the website about how that works since it’s sort-of misusing the port definition syntax. All seems to be working fine now thanks.