My title may be poorly worded, but I’ll try to get the backstory straight:
I have Ubuntu instances with clusters of Docker containers all hosting web servers
In order to appease firewalls we want to use port 443 instead of port 8000 (where a service is listening for traffic and keeping track of sockets open to the appropriate containers)
To do this we added a rule:
sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8000
However the containers use boto to push content to s3 i.e. something like:
from boto.s3.connection import S3Connection s3_connection = S3Connection( 'AWS_KEY_ID', 'AWS_SECRET_KEY' ) s3_bucket = s3_connection.get_bucket( 'AWS_BUCKET' )
With the prerouting rule in place boto can no longer use port 443 & returns with:
Traceback (most recent call last): File "<stdin>", line 2, in <module> File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 496, in get_bucket return self.head_bucket(bucket_name, headers=headers) File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 543, in head_bucket response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 405 Method Not Allowed
Without the rule boto works fine, but we can’t use port 8000 for a production ssl service.
How should we be configuring our PREROUTING table and service to do both things?
I’m not an expert on boto, iptables or docker, and it is interesting that this seems to be an issue on the containers and not the host.
Your DNAT rule is not specific enough. It is applying to all traffic being forwarded through the host to port 443, regardless of origin or destination.
To resolve the problem, make the rule more specific, such as by specifying that it applies only to inbound traffic from the outside world. If this arrives on the
eth0 interface, then you would add
-i eth0 to the rule:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8000
This won’t apply to traffic going the other direction, where the “inbound” interface is e.g.
docker0 and the “outbound” interface is
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.