Can't access bridged VirtualBox port from the internet without port forwarding from the host

[robcos]

I am encountering a strange issue which I cannot understand and it is probably due to my limited understanding of how VB deals with networks.
I have a virtual box instance running in bridge mode (hostname docker). Actually it is running in nat (eth0) and bridged (eth3). I have a bunch of docker services running on it exposing various ports, say 8080. The instance is running on a host called "host"

From my local network (any host) I can access the docker:8080 nicely.
From my router, I forward port 8080 to docker:8080. I expect to be able to access public_ip:8080. However, it does not work - no traffic reaches my docker instance.
If I port forward host:8080 to docker:8080 and then my public 8080 to host:8080 (in my router), it works like a charm.

Why is that?
Recapping:

Code: Select all

public_ip:8080 -> host:8080 -> docker:8080 YES
public_ip:8080 -> docker:8080 NO

Code: Select all

host=192.168.1.99
docker:192.168.1.201
test machine: 192.168.1.161
(all in the same subnet)

Why do I need this unnecessary port forwarding from the host to the virtual box instance?

Thanks

[scottgus1]

We will need more information, though at first guess it appears you may be accessing your 'docker' through its NAT connection not the Bridged connection. Accessing a NAT VM from outside the host PC requires going through the host IP address, and it also requires a port forward in the NAT settings.

Are you running a VM with Docker in it, then another OS inside Docker?

host=192.168.1.99
docker:192.168.1.201
test machine: 192.168.1.161

Right-click the VM in the main Virtualbox window's VM list, choose Show in Explorer/Finder/File Manager. Zip the VM's .vbox file (not the .vbox-prev file), and post the zip file, using the forum's Upload Attachment tab. (Configure your host OS to show all extensions if the folder that opens does not show a .vbox file.)

[robcos]

Hi Scott,
I'm running docker inside virtual box and then httpd inside docker. No other OS in between.
The host "docker", as explained in my post, maps to the ip of the bridge connection (it's in the same subnet of the host) so I should not require port forwarding. That is why this is so odd. I'm uploading the vbox file.

[scottgus1]

Thanks for the file. You have three active networks going, Bridged, Host-Only and NAT. The NAT has some 35 port forwarding rules, one of which is 8080.

Why your Bridged connection is not being used is beyond me. Can you get to a terminal inside the docker VM and run "ip address" or "ifconfig" then post the output?

[fth0]

One additional question: From your description, I'm not 100% sure if you are using the word "docker" just instead of an IP address to simplify your writing, or if you use it as an DNS hostname somewhere ...

[robcos]

docker is a local hostname that resolves to 192.168.99.101. Whether I use an ip or the hostname does not have impact with regards to the test.

dig docker

; <<>> DiG 9.10.6 <<>> docker
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51370
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;docker. IN A

;; ANSWER SECTION:
docker. 0 IN A 192.168.1.201

;; Query time: 0 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Sat Jan 23 16:56:47 GMT 2021
;; MSG SIZE rcvd: 51

The output of ifconfig is the following:

docker0 Link encap:Ethernet HWaddr 02:42:B6:32:62:78
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:b6ff:fe32:6278/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10189 errors:0 dropped:0 overruns:0 frame:0
TX packets:14218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1502563 (1.4 MiB) TX bytes:3325701 (3.1 MiB)

eth0 Link encap:Ethernet HWaddr 08:00:27:48:E8:77
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00fe48:e877/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9113 errors:0 dropped:0 overruns:0 frame:0
TX packets:6493 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1817649 (1.7 MiB) TX bytes:1286664 (1.2 MiB)

eth1 Link encap:Ethernet HWaddr 08:00:27:2A:F1:1A
inet addr:192.168.99.101 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::a00fe2a:f11a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:313 errors:0 dropped:0 overruns:0 frame:0
TX packets:324 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47888 (46.7 KiB) TX bytes:44121 (43.0 KiB)

eth2 Link encap:Ethernet HWaddr 08:00:27:EC:EB:88
inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00feec:eb88/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22470 errors:0 dropped:0 overruns:0 frame:0
TX packets:13850 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9308349 (8.8 MiB) TX bytes:3293893 (3.1 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:820 errors:0 dropped:0 overruns:0 frame:0
TX packets:820 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:90733 (88.6 KiB) TX bytes:90733 (88.6 KiB)

Eth2, with host 192.168.1.201, is the bridged network.

From the host:

ping docker
PING docker (192.168.1.201): 56 data bytes
64 bytes from 192.168.1.201: icmp_seq=0 ttl=64 time=0.325 ms
64 bytes from 192.168.1.201: icmp_seq=1 ttl=64 time=0.249 ms

duboce is my host. Port forwarding from the host to the guest works fine.

$ telnet duboce 8080
Trying 192.168.1.99...
Connected to duboce.
Escape character is '^]'.

HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 435
Date: Sat, 23 Jan 2021 17:02:47 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1></body></html>Connection closed by foreign host.

docker is my host. The 8080 is working and accessible.

$ telnet docker 8080
Trying 192.168.1.201...
Connected to docker.
Escape character is '^]'.

HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 435
Date: Sat, 23 Jan 2021 17:02:50 GMT
Connection: close

<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1></body></html>Connection closed by foreign host.

Still, my router cannot see 192.168.1.201:8080 but works fine with 192.1681.99:8080

Strange, ah?

[fth0]

Are you perhaps confusing the networks in your previous post? The texts don't seem to match the command outputs: docker resolving to 192.168.99.101, 192.168.99.0/24 being the bridged network. You can edit your post if necessary.

You could use Wireshark on the host and on the guest to investigate what happens. Especially check DHCP and ARP.

[robcos]

Yes, thanks for the heads up - typo fixed.