Thanks for all the work maintaining this excellent product! I was reading about NS8 yesterday and it sounds super exciting!
I have a number of docker containers running on a nethserver server on my internal network. They are exposed to the internet via reverse proxies on a second nethserver running on a raspberry pi 4.
Recently, something changed. I’m guessing in an update, since I haven’t done much else, but I did do some hardening in response to some DOS/SSH attacks recently and maybe I’ve tripped myself up here.
All of the sudden, the pi-server can no longer connect to the docker containers. It just times out. It still has solid connectivity to the server hosting the docker containers, though. I’ve checked firewall, IPS, Fail2ban, etc. I can’t seem to find the problem. All other clients on the internal network can talk to the docker containers. Has something changed recently that might explain this? Perhaps in the way macvlan works?
Here’s how my network looks:
192.168.7.254 - Pi-Server (Nethserver 7.9.2009 ARM7) - Internet connected via port mapping to a non-standard SSH port, and port 443.
192.168.7.55 - Internal Server (Nethserver 7.9.2009 AMD64)
- Docker Containers:
192.168.7.251 - Calibre-web - macvlan port 2083
192.168.7.250 - Foundry VTT - macvlan port 30000
192.168.7.249 - Emby - macvlan port 8096
Here’s curl running from the Pi-server command line to the internal server hosting Docker:
# curl -vI http://192.168.7.55:9090* About to connect() to 192.168.7.55 port 9090 (#0) * Trying 192.168.7.55... * Connected to 192.168.7.55 (192.168.7.55) port 9090 (#0) > HEAD / HTTP/1.1> User-Agent: curl/7.29.0 > Host: 192.168.7.55:9090> Accept: */* > < HTTP/1.1 301 Moved PermanentlyHTTP/1.1 301 Moved Permanently < Content-Type: text/html Content-Type: text/html < Location: https://192.168.7.55:9090/ Location: https://192.168.7.55:9090/ < Content-Length: 73 Content-Length: 73 < X-DNS-Prefetch-Control: off X-DNS-Prefetch-Control: off < Referrer-Policy: no-referrer Referrer-Policy: no-referrer < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < * Connection #0 to host 192.168.7.55 left intact
Here’s the same thing attempting to contact one of the docker containers:
# curl -vI http://192.168.7.251:8083 * About to connect() to 192.168.7.251 port 8083 (#0) * Trying 192.168.7.251... * Connection timed out * Failed connect to 192.168.7.251:8083; Connection timed out * Closing connection 0 curl: (7) Failed connect to 192.168.7.251:8083; Connection timed out
Here’s a log entry from the reverse proxy. It shows the same time out:
[proxy_http:error] [pid 11179] [client 126.96.36.199:36438] AH01114: HTTP: failed to make connection to backend: 192.168.7.251
And finally, a screenshot showing connectivity from another client:
NethServer Version: 7.9.2009