Hi,
I have an issue accessing a MS SQL server running in docker from a Windows 10 KVM VM both running on the same UCS machine. I’m able to reach the host (UCS with IP 172.24.0.1) from the VM, but I am not able to administer the MS SQL service remotely (tried two different approaches resulting in different issues, which I try to describe below).
- Option: Using a
bridgenetwork for the VM
Using a bridge network for the VM with configuration:
<interface type="bridge">
<mac address="52:54:00:2d:f0:0d"/>
<source bridge="br1"/>
<target dev="vnet1"/>
<model type="virtio"/>
<alias name="net1"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>
</interface>
I’m able to access the host (172.24.0.1) but can’t reach the MS SQL service running in docker at port 1433. I’m pretty sure that has to do with firewall rules / iptables, but I couldn’t figure out what to change / how to set them correctly.
Output of iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-2
-A INPUT -s 172.17.0.0/16 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 172.16.0.0/16 -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1433 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
- Option: Using a
natnetwork for the VM
If I use aNATnetwork for the VM with following network configuration:
<network connections="1">
<name>default</name>
<uuid>575a3430-0408-4e7c-9ff9-354318993818</uuid>
<forward mode="nat">
<nat>
<port start="1024" end="65535"/>
</nat>
</forward>
<bridge name="virbr0" stp="on" delay="0"/>
<mac address="52:54:00:ac:19:df"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network>
and VM interface:
<interface type="network">
<mac address="52:54:00:19:10:b4"/>
<source network="default" bridge="virbr0"/>
<target dev="vnet0"/>
<model type="virtio"/>
<alias name="net0"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
</interface>
I then can access the MS SQL server in the docker container. However, the issue here is that I have no access to the internet (which would be important as I will have to access the client via Teamviewer). While I can see that requests get blocked by my dedicated firewall (OPNsense) as I can see them as rejected in the firewall logs, the strange thing is that these logs show the internal (behind NAT) IP of the VM (192.168.122.156). In my understanding of NAT the IP seen by clients outside / in front of the VM NAT network should be the IP of the host (172.24.0.1) or at least the ip address defined in the network configuration (192.168.122.1). A I misunderstanding NAT here? I could probably fix internet access on the firewall (allowing outgoing access for the 192.168.122.0/24 didn’t suffice so far), but I would like to get sure first if the network configuration is correct beforehand.
So any ideas how to let me access both, docker container and internet, from the VM? I actually don’t really care whether using bridged or nat networking on the VM as access to the VM from other clients within the network is not mandatory (but nice to have). I would prefer the approach that is most straightforward and comprehensible to configure with regard to Univention conventions / management tools.
Thanks in advance
BR Hans