Unable to bind services to host ports

Rancher 1.x
1

I’m trying to bring up a very simple nginx test service with Rancher v32. I’ve set up the service to bind public port 80 and forward to port 80 on the container. In the UI, all seems to look okay: on the service detail page, I see the host’s IP address with the correct mapping.

If a log onto the host system and curl the container’s 10.42.xx.xx address assigned by Rancher, everything works great. But when I try to connect on the host’s IP address I get ‘connection refused’.

How can I bind the service to accept incoming traffic on the host’s public IP? Here is my iptables dump:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
CATTLE_PREROUTING  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
CATTLE_POSTROUTING  all  --  anywhere             anywhere            
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  udp  --  172.17.0.7           172.17.0.7           udp dpt:ipsec-nat-t
MASQUERADE  udp  --  172.17.0.7           172.17.0.7           udp dpt:isakmp

Chain CATTLE_POSTROUTING (1 references)
target     prot opt source               destination         
ACCEPT     all  --  10.42.0.0/16         169.254.169.250     
MASQUERADE  tcp  --  10.42.0.0/16        !10.42.0.0/16         masq ports: 1024-65535
MASQUERADE  udp  --  10.42.0.0/16        !10.42.0.0/16         masq ports: 1024-65535
MASQUERADE  all  --  10.42.0.0/16        !10.42.0.0/16        
MASQUERADE  tcp  --  172.17.0.0/16        anywhere             masq ports: 1024-65535
MASQUERADE  udp  --  172.17.0.0/16        anywhere             masq ports: 1024-65535

Chain CATTLE_PREROUTING (1 references)
target     prot opt source               destination         
DNAT       udp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL udp dpt:ipsec-nat-t to:10.42.236.36:4500
DNAT       udp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL udp dpt:isakmp to:10.42.236.36:500
DNAT       tcp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL tcp dpt:http to:10.42.253.17:80

Chain DOCKER (2 references)
target     prot opt source               destination         
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:172.17.0.7:4500
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:172.17.0.7:500
2

@bkoski thats the right way of binding public port to the host - the way you’ve done it, by specifying the port mapping. Ip tables also look fine.

When you do the curl to the host ip, do you do it from this very same host, or from some other host? Because CATTLE_PREROUTING rules that do port forwarding, won’t apply to the traffic local to the host.

3

Ah, that was it! Was trying to test by curling the public IP from the same host. Tested from a different host and works great! Thanks!