Docker - This site can’t be reached

english
#1

I installed a tomcat image and ran a container:

[root@MY_IP ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                     NAMES
e624bb55878f        tomcat:7            "catalina.sh run"   43 minutes ago      Up 43 minutes       0.0.0.0:32768->8080/tcp   pensive_leakey

The logs show me that the tomcat server is running but when I check via a browser it tells me : 

This site can’t be reached : MY_IP:32768

MY_IP refused to connect.
ERR_CONNECTION_REFUSED

So MY_IP:32768 doesn't work. I thought it was a firewall problem so I checked my iptables and added a ligne:

[root@MY_IP ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6666 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32768 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And when I check with netstat it looks good:

[root@MY_IP ~]# netstat -tulpn
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:27017             0.0.0.0:*                   LISTEN      1375/mongod         
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1240/mysqld         
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      1101/vsftpd         
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      976/named           
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1087/sshd           
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1335/master         
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      976/named           
tcp        0      0 :::32768                    :::*                        LISTEN      13085/docker-proxy  
tcp        0      0 :::80                       :::*                        LISTEN      1348/httpd          
tcp        0      0 ::1:53                      :::*                        LISTEN      976/named           
tcp        0      0 :::22                       :::*                        LISTEN      1087/sshd           
tcp        0      0 ::1:953                     :::*                        LISTEN      976/named           
udp        0      0 127.0.0.1:53                0.0.0.0:*                               976/named           
udp        0      0 ::1:53                      :::*                                    976/named

But I still have the same problem of connection refused. I made sure I restarted the service iptables.

What am I doing wrong here? I am running a CentOS release 6.7 (Final). Thanks

#2

Are you sure that tomcat itself is listening on port 8080? Because the docker container is indeed listening on port 32768 and that port is opened in the firewall ( In fact entirely open because the policy is ACCEPT and there is no REJECT or DROP rule ), it seems that may be the problem.

You can verify with docker exec -ti pensive_leakey ss -tln

#3

don’t touch your iptables, these are OK. But your netstat says 32768 only listens on IPv6 and not on IPv4. Are you sure browser is trying to access it via IPv6?

#4

Why only state NEW tcp dpt:32768? After connection established, and somebody start send data firewall reject it.

#5

Hi, I changed the entry to be exactly like the others : ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:32768
I restarted the service and I still have the same issue