Today, Docker is a popular tool for running and managing apps. A common task is to send network traffic from a port on your computer to a port in a Docker container. This is useful if you want to share a service in the container with the outside world or set up a reverse proxy for load balancing.
In this article, we will show you how to forward a port to a Docker container using iptables, a firewall tool in most Linux systems.
Step 1: Identify the IP address of the Docker container
Run the following command to find the IP address of your Docker container:
docker inspect -f '{{ .NetworkSettings.IPAddress }}' <CONTAINER_NAME_OR_ID>
Replace <CONTAINER_NAME_OR_ID> with the name or ID of your container. Note down the IP address displayed in the output.
Step 2: Forwarding Ports to Docker Containers
Using Iptables
To forward a port to a Docker container using iptables, you can follow these steps:
- Add iptables rules for forwarding: Now, set up the iptables rules to forward the desired port to your Docker container. Replace <HOST_PORT> with the port number on the host machine, <CONTAINER_IP> with the IP address of your container, and <CONTAINER_PORT> with the port number inside the container.
sudo iptables -t nat -A PREROUTING -p tcp --dport-j DNAT --to-destination : sudo iptables -t nat -A POSTROUTING -j MASQUERADE For instance, if you want to redirect port 8080 from the host machine to port 80 on a Docker container having an IP of 172.21.0.7, you’d execute the given commands:
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.21.0.7:80sudo iptables -t nat -A POSTROUTING -j MASQUERADE - Save the iptables rules: To make the iptables rules persist across reboots, you can save them using the iptables-save command:
sudo iptables-save > /etc/iptables/rules.v4Note that the path to the rules file may vary depending on your Linux distribution.
- Make iptables rule persistent: If you are using a Debian/Ubuntu-based distribution, you can install the iptables-persistent package to make the rules persist across reboots:
sudo apt-get install iptables-persistentDuring installation, it will ask whether you want to save the current iptables rules. Select ‘Yes’ to save the rules.
Using firewall-cmd
To forward a port to a Docker container using firewall-cmd, which is a part of the firewalld utility on RHEL/CentOS/Fedora-based systems, follow these steps:
- Add the firewall-cmd rules for forwarding: Now, set up the firewall-cmd rules to forward the desired port to your Docker container. Replace <HOST_PORT> with the port number on the host machine, <CONTAINER_IP> with the IP address of your container, and <CONTAINER_PORT> with the port number inside the container.
First, enable masquerade on the active zone:
sudo firewall-cmd --zone=public --add-masquerade --permanent - Next, create the port forwarding rule:
sudo firewall-cmd --zone=public --add-forward-port=port=:proto=tcp:toaddr=<CONTAINER_IP>:toport=<CONTAINER_PORT> --permanent For example, to forward port 8080 on the host machine to port 80 on a Docker container with an IP address of 172.17.0.7, you would use the following command:
sudo firewall-cmd --zone=public --add-forward-port=port=8080:proto=tcp:toaddr=172.17.0.7:toport=80 --permanent - Reload the firewall rules: After adding the rules, you need to reload the firewalld configuration for the changes to take effect:
sudo firewall-cmd --reloadNow, the port forwarding should be working, and any traffic coming to the <HOST_PORT> on the host machine will be forwarded to the <CONTAINER_PORT> on the Docker container.
Using UFW
To forward a port to a Docker container using ufw (Uncomplicated Firewall), which is the default firewall tool on Ubuntu and other Debian-based systems, you need to follow these steps:
- Enable UFW forwarding: Edit the UFW configuration file at /etc/default/ufw:
sudo nano /etc/default/ufwFind the line containing DEFAULT_FORWARD_POLICY=”DROP” and change it to DEFAULT_FORWARD_POLICY=”ACCEPT”:
DEFAULT_FORWARD_POLICY="ACCEPT"Save the file and exit the editor.
- Configure IP forwarding: Edit the sysctl configuration file at /etc/sysctl.conf:
sudo nano /etc/sysctl.confAdd or uncomment the following line:
net.ipv4.ip_forward=1Save the file and exit the editor. Apply the changes by running:
sudo sysctl -p - Update UFW rules: First, create a new UFW rule file for port forwarding. Replace <HOST_PORT> with the port number on the host machine, <CONTAINER_IP> with the IP address of your container, and <CONTAINER_PORT>> with the port number inside the container.
sudo nano /etc/ufw/before.rulesAdd the following lines at the beginning of the file, after the header comments:
*nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dport <HOST_PORT> -j DNAT --to-destination <CONTAINER_IP>:<CONTAINER_PORT> COMMITFor example, to forward port 8080 on the host machine to port 80 on a Docker container with an IP address of 172.17.0.7, you would add:
*nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.7:80 COMMITSave the file and exit the editor.
- Reload UFW: Finally, reload the UFW configuration for the changes to take effect:
sudo ufw disablesudo ufw enableNow, the port forwarding should be working, and any traffic coming to the <HOST_PORT> on the host machine will be forwarded to the <CONTAINER_PORT> on the Docker container.
Conclusion
Forwarding a port to a Docker container using iptables is simple. You need to find the container’s IP address, add the right iptables rules, and make sure the rules stay after reboots. By following the steps in this article, you can make traffic sent to a specific port on your computer go to the same port in the container. This lets you share services in containers, set up reverse proxies, or use load balancing, making your container system more flexible and efficient.