Docker Container Install on Ubuntu Suddenly Only Allows Local Traffic

jmferris · February 13, 2022, 4:56pm

Greetings,

Apologies, up-front, for my extremely rusty Linux knowledge. I’ve been in a Windows stack for at least a decade now, and am only getting back into Linux. I suspect this is going to be a Linux related issue, but I am not certain. My hopes are that someone with a similar installation might be able to provide guidance here.

My set-up is extremely straightforward. Using Docker, I have Home Assistant running happily in a container on an Ubuntu server install, and it has been for a couple of weeks now. I also have Containers up for Node Red, Eclipse MQQT, Zigbee2MQTT, Grafana, Code Server, etc. This is the final evolution in my journey from Raspberry Pi, to a NUC, and now part of the new “home lab”. The installation works flawlessly, apart from one thing.

Here is my Docker Compose, in case it is relevant:

version: '3'
services:
  homeassistant:
    container_name: home-assistant
    image: "docker.io/homeassistant/home-assistant:stable"
    network_mode: host
    environment:
      - TZ=America/Phoenix
      - PUID=992
      - PGID=992
      - UMASK=007
      - PACKAGES=iputils
    volumes:
      - /array/container-data/home-assistant/config:/config

      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    privileged: true

Last week, I setup a DDNS, using Dynu. Until this morning, it was working fine - until after a server reboot. In beginning to troubleshoot, I verified that the correct IP was set, and that I can remotely access the port on the router. No problems with either, there. Then, I verified my port forwarding rules, and they are also set up correctly. So, from the domain name, traffic makes it to the router.

I have also verified that traffic is making it to the server, itself. From the tcpdump, below, 192.168.0.101 is my server and 208.127.85.157 is my client machine. Whenever I attempt to access via my public IP or host name, this is the output of tcpdump:

jmferris@ferris-smarthome:/array/container-data/home-assistant/config/www$ sudo tcpdump -ni any port 8123 | grep '208.127.85.157'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
16:41:26.678096 IP 192.168.0.101.8123 > 208.127.85.157.9247: Flags [P.], seq 3167168894:3167169046, ack 1455471558, win 501, length 152
16:41:28.238427 IP 208.127.85.157.9247 > 192.168.0.101.8123: Flags [F.], seq 1, ack 0, win 1029, length 0
16:41:28.238984 IP 192.168.0.101.8123 > 208.127.85.157.9247: Flags [F.], seq 9480, ack 2, win 501, length 0
16:41:28.243236 IP 208.127.85.157.34200 > 192.168.0.101.8123: Flags [S], seq 1121415575, win 65280, options [mss 1344,nop,wscale 8,nop,nop,sackOK], length 0
16:41:28.243306 IP 192.168.0.101.8123 > 208.127.85.157.34200: Flags [S.], seq 1635185161, ack 1121415576, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:41:28.245639 IP 208.127.85.157.63320 > 192.168.0.101.8123: Flags [P.], seq 3874385583:3874386056, ack 3032168147, win 1029, length 473
16:41:28.245681 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [.], ack 473, win 501, length 0
16:41:28.247308 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 1:153, ack 473, win 501, length 152
16:41:28.247380 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 153:2841, ack 473, win 501, length 2688
16:41:28.247392 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 2841:5529, ack 473, win 501, length 2688
16:41:28.247628 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 5529:8217, ack 473, win 501, length 2688
16:41:28.247647 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 8217:9481, ack 473, win 501, length 1264
16:41:28.291053 IP 208.127.85.157.34200 > 192.168.0.101.8123: Flags [.], ack 1, win 1029, length 0
16:41:28.950056 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [P.], seq 8217:9481, ack 473, win 501, length 1264
16:41:29.299335 IP 208.127.85.157.63320 > 192.168.0.101.8123: Flags [P.], seq 0:473, ack 1, win 1029, length 473
16:41:29.299373 IP 192.168.0.101.8123 > 208.127.85.157.63320: Flags [.], ack 473, win 501, options [nop,nop,sack 1 {0:473}], length 0

Traffic is clearly making it to the server, from external requests, but I am getting nothing apart from the generic “connection refused” screen in Chrome on the client. Prior to the reboot, as mentioned, I was getting to the site just fine.

Does anyone have any suggestions on what I might be able to look at or try here?

Thank you, in advance!

EDIT: For clarity, I have no issues accessing the server on the network, via IP. It is only external requests that are seemingly being dropped/blocked.

jmferris · February 15, 2022, 3:25pm

Resolved. After a lot of trial and error, and digging more into documentation, I discovered that the second network interface on the server was at fault, here. Since the server had autodiscovered the second connection when I plugged in to the NIC, it also added a second default gateway. To fix it, I explicitly deleted the route for the second gateway and modified my netplan to explicitly set the gateway on the first interface (the primary interface used for internet). After a reboot, it is working as expected.

I have a lot more to learn about Linux networking, it would appear!