Docker aqua host exposed port not accessible from VLAN

NethServer 7.9.2009 server only (no RED interface)
Module: docker aqua
Hi, I run a docker container with mqtt server on network aqua, port 8883 is exposed on the servers br0 bridge interface. I can access the mqtt server from the hosts on the same network as the servers green interface and from other docker containers.

I use an additional VLAN which is routed to an external firewall. The VLAN is in trusted networks and a static route exists (configured in the old server manager).
Non docker services (Samba DC, file services, webservers) wortk fine from this VLAN.
The docker aqua exposed ports are not accessible.

I tried to add different firewall rules to convince shorewall not to drop this traffic. So far I cannot get it to work correctly.

Is this default behaviour? I would expect the green zone to be the allowed source, not just the vlan of the server ip. Any ldeas to fix this?

shorewall show log shows:

Jan 16 17:20:41 loc2fw:REJECT:IN=br0 OUT= SRC= DST=local server ip LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45402 DF PROTO=TCP SPT=51408 DPT=8883 WINDOW=29200 RES=0x00 SYN URGP=0

db dockrules show:



@dev_team Can you answer this question?

1 Like

not tested but I bet this could explain

all green to aqua are rejected

1 Like

You may use custom templates to edit shorewall policy:

Thanx for the pointers. I created a new service in cockpit (system - service - add service).
The fw rules are created automatically. Cockpit action failed, command line copy of the service create command worked fine.

The key was not the 35aqua rules, shorewall blocked the SYN on loc2fw.