EDIT: After few reboots and many persuasions by command systemctl enable firewalld, Rockstor managed to start accepting incomming WAN connections. If anyone goes through same behavior, please report.
Hi everybody,
there seems to be a problem with docker/rockstor and firewalld regarding WAN access.
My situation is following:
I am running happily Rockstor in VM, disks attached via KVM without a problem. Then I install a few Rockons - Owncloud, Plex and Transmission and after few reboots (and a few days, it happened three times), I can´t access server from WAN (fresh install of Rockstor puts problems away and WAN access works for a while, but it isn´t a proper soluton). What is more strange, while accessing from lan, everything works flawlessly, so I can access Owncloud, Plex or Transmission.
And it definitely isn´t just Rockons issue, because there even SSH or web GUI can´t be accessed from WAN (port forwarding is done right).
From my point of view something is blocking VM to WAN communication, but other VMs under same settings and hypervisor don´t have the issue, so it has to be an error in VM (as it happens some time after installation). I keep Rockstor install mostly clean, outside of web gui there is only one bash script running for backups and there only a few packages installed.
> [root@nas ~]# docker ps
> CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
> 966caffb15be linuxserver/plex "/sbin/my_init" 11 hours ago Up 4 minutes plex-linuxserver.io
> 692ff615a7fc pschmitt/owncloud "/usr/bin/run.sh" 7 days ago Up 4 minutes 80/tcp, 0.0.0.0:8081->443/tcp owncloud
> b50172695516 postgres "/docker-entrypoint.s" 7 days ago Up 4 minutes 5432/tcp owncloud-postgres
> 9cb4b99db5f1 dperson/transmission "transmission.sh" 7 days ago Up 4 minutes 0.0.0.0:9091->9091/tcp, 0.0.0.0:51413->51413/tcp, 0.0.0.0:51413->51 413/udp transmission
Firewalld should be running, no?
[root@nas ~]# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Jun 04 22:27:58 nas.*. systemd[1]: Starting firewalld - dynamic firewall daemon…
Jun 04 22:28:02 nas.*. systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 04 22:29:45 nas.*. systemd[1]: Stopping firewalld - dynamic firewall daemon…
Jun 04 22:29:46 nas.*. systemd[1]: Stopped firewalld - dynamic firewall daemon.
Jun 04 22:30:22 nas.*. systemd[1]: Stopped firewalld - dynamic firewall daemon.
After manually starting the service:
(and yes, I tried systemctl enable firewalld and rebooting the VM)
[root@nas ~]# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2016-06-04 22:48:38 CEST; 2min 26s ago
Main PID: 9338 (firewalld)
Memory: 22.8M
CGroup: /system.slice/firewalld.service
└─9338 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target `DOCKER’:No such file or directory
Try `iptables -h' or 'iptables --help' for more information.Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target `DOCKER’:No such file or directory
Try `iptables -h' or 'iptables --help' for more information.Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 8081 -j DNAT --to-destination 172.17.0.2:443 ! -i docker0’ failed: iptables: No chain/target/match by that name.
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 51413 -j DNAT --to-destination 172.17.0.4:51413 ! -i docker0’ failed: iptables: No chain/target/match by that name.
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -A DOCKER -p udp -d 0/0 --dport 51413 -j DNAT --to-destination 172.17.0.4:51413 ! -i docker0’ failed: iptables: No chain/target/match by that name.
Jun 04 22:48:41 nas.*. firewalld[9338]: 2016-06-04 22:48:41 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 9091 -j DNAT --to-destination 172.17.0.4:9091 ! -i docker0’ failed: iptables: No chain/target/match by that name.
Thanks for suggestions.