docker exposed port not accessible from outside even when port is opened using iptables command

Question

I have a sample docker tar image in my linux based server and ran that though docker run command as below where 9521f101839f is image id.

docker run -p 0.0.0.0:9895:9898 -td 9521f101839f

So now docker container is present and the project (rest api) works fine inside my server.

docker ps command output also looks proper:

a97904cb07d1 localhost/elk-spring-boot.jar:latest 22 minutes ago Up 22 minutes ago 0.0.0.0:9895->9898/tcp compassionate_goldberg

As you see, it's exposed to 9895 to the outside world.

 iptables -I INPUT -p tcp -m tcp --dport 9895 -j ACCEPT

Using the above iptables commands, i made sure to open 9895 port.

[root@pxgrid-163 localdisk]# iptables -nvL | grep 9895
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9895
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9895
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9895
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9895
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9895

But, when i try to curl from another linux based server (or from my laptop CLI) to this docker container server , it's not accessible. From inside that sever where i kept docker container , i am able to access everything properly. But from a separate server (or my laptop) when i try to do curl in order to access the api (docker run api), it's not accessible.

Is it expected behaviour? Shouldn't it be accessible from outside as well because port is exposed to outside world? Am i missing something here?

Below are the network interfaces list when i do ifconfig

Which interface_ip we're talking about here? Is it eth0? when i do ifconfig i see these many interfaces

ifconfig
cni-podman0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.88.0.1  netmask 255.255.0.0  broadcast 10.88.255.255

cni-podman1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.2.1  netmask 255.255.255.0  broadcast 169.254.2.255

cni-podman2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.4.1  netmask 255.255.255.0  broadcast 169.254.4.255

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.23.166.163  netmask 255.255.255.0  broadcast 172.23.166.255

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0        

veth506e78cf: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500 

veth6c80d69f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        
vethe32079e7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

Answer 1

Doker has its own network 172.16.0.0/12 inside your machine.

Try

-p your_interface_ip:9895:9898

Also check is ip forwarding enabled

sysctl -w net.ipv4.ip_forward=1

https://docs.docker.com/config/containers/container-networking/

https://www.docker.com/blog/understanding-docker-networking-drivers-use-cases/

Answer 2

I had to enable IP Forwarding in my server by following below 2 steps

1. Configure the Linux kernel to allow IP forwarding. - sysctl net.ipv4.conf.all.forwarding=1
2. Change the policy for the iptables FORWARD policy from DROP to ACCEPT - iptables -P FORWARD ACCEPT

After this, I was able to access the api from my laptop as well as from a different server.