Accessing Public IP from Docker Containers in NAT

J

jbond04

New Member
Mar 18, 2024
1
0
1
Hello!

I've set up an internal NAT on Proxmox. I can access the internet fine on VMs that I install in the NAT - any website, any program, etc. Here is my NAT configuration:

Code: 
auto lo
iface lo inet loopback

iface eno1 inet static
      address MY_PUBLIC_IP
      gateway MY_PUBLIC_GATEWAY

auto vmbr0
iface vmbr0 inet static
      address 10.10.10.1
      netmask 255.255.255.0
      bridge-ports none
      bridge-stp off
      bridge-fd 0



      post-up echo 1 > /proc/sys/net/ipv4/ip_forward
      post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
      post-down iptables -t nat -D POSTROUTING -s '10.10.10.10/24' -o eno1 -j MASQUERADE

      post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
      post-down iptablse -t raw -d PREROUTING -i fwbr+ -j CT --zone 1
      # ssh to easypanel
      post-up iptables -t nat -A PREROUTING -p tcp --dport 102 -i eno1 -j DNAT --to-destination 10.10.10.3:22
      # http to easypanel
      post-up iptables -t nat -A PREROUTING -p tcp --dport 80 -i eno1 -j DNAT --to-destination 10.10.10.3:80
      # https to easypanel
      post-up iptables -t nat -A PREROUTING -p tcp --dport 443 -i eno1 -j DNAT --to-destination 10.10.10.3:443
      # poste.io ports to easypanel
      post-up iptables -t nat -A PREROUTING -p tcp --dport 25 -i eno1 -j DNAT --to-destination 10.10.10.3:25
      post-up iptables -t nat -A PREROUTING -p tcp --dport 110 -i eno1 -j DNAT --to-destination 10.10.10.3:110
      post-up iptables -t nat -A PREROUTING -p tcp --dport 143 -i eno1 -j DNAT --to-destination 10.10.10.3:143
      post-up iptables -t nat -A PREROUTING -p tcp --dport 465 -i eno1 -j DNAT --to-destination 10.10.10.3:465
      post-up iptables -t nat -A PREROUTING -p tcp --dport 587 -i eno1 -j DNAT --to-destination 10.10.10.3:587
      post-up iptables -t nat -A PREROUTING -p tcp --dport 993 -i eno1 -j DNAT --to-destination 10.10.10.3:993
      post-up iptables -t nat -A PREROUTING -p tcp --dport 995 -i eno1 -j DNAT --to-destination 10.10.10.3:995

However. In my easypanel VM (10.10.10.3), I run several Docker containers. In these docker containers, I will make calls to other docker containers in the easypanel machine (e.g. my automation tool n8n, I call a webhook in n8n that triggers another workflow). As an example:

Let's say my public domain for n8n is n8n.example.com. A trigger gets sent from our ERP to n8n.example.com/add-order. n8n runs a workflow. Halfway through the workflow, the n8n workflow triggers another workflow by HTTP request (n8n.example.com/add-product-to-order). However, I get an error when I try to run that:

Code: 
ERROR: The service refused the connection - perhaps it is offline
connect ECONNREFUSED MY_PUBLIC_IP:443

The weird thing is, that the docker containers can reach the web, they just can't reach back to themselves. Is this a Proxmox NAT issue? Or a Docker network issue. I had this same setup on a server with a dedicated public IP, and I never had this issue, which makes me think it's a Proxmox NAT issue.


EDIT: As a side note, I also attempted to run a mailserver. I could connect to the mailserver fine, but when I ran the mailserver self-test, it was unable to establish an outbound connetion to port 25...only happened on the server with Proxmox NAT
 
Last edited:
You must log in or register to reply here.
Top Bottom