I try to run a HTTP server on port 8000 in a firejail sandbox, and make it accessible on all interfaces of the host on port 8888.
The whole system can be represented as below:
+----------------------------------------------------+ +-------------+
| host-112 | | host-238 |
| | +-------+ | |
| +--------------------------+ +-----+ | 192.168.1.112 | | 192.168.1.238 | +----+ |
| | firejail | |wlan0+------------------+ NAT +-------------------+eth0| |
| | | +-----+ | | | | +----+ |
| | | | +-------+ | |
| | +----+ 10.0.1.2 | 10.0.1.1 +------+ | | |
| | |eth0+--------------------------+my_br0| | | |
| | +----+ | +------+ | | |
| | | | | |
| | | | | |
| | HTTP server <---------------------------<-------------------------------------------+ |
| | 0.0.0.0:8000 | HTTP request | HTTP request +-------------+
| | | 10.0.1.2:8000 | 192.168.1.112:8888
| | | |
| +--------------------------+ |
+----------------------------------------------------+
I am using these commands to create the bridge interface my_br0 and the iptables rules on host-112:
# Create interface
sysctl -w net.ipv4.ip_forward=1
brctl addbr my_br0
ip addr add 10.0.1.1/24 dev my_br0
ip link set my_br0 up
sysctl -w net.ipv4.conf.my_br0.route_localnet=1
# Add iptables rules
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A OUTPUT -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A POSTROUTING -p tcp -o my_br0 -j MASQUERADE
iptables -A FORWARD -i my_br0 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -i my_br0 -p tcp --sport 8000 -j ACCEPT
I am running the HTTP server in the firejail sandbox like this:
firejail --noprofile --net=my_br0 --ip=10.0.1.2 python3 -m http.server 8000
It works well when I try do to the request on the local host:
myself@host-112 $ curl 192.168.1.112:8888
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
...
But it doesn't work with a remote host on the same network:
myself@host-238 $ curl 192.168.1.112:8888
curl: (7) Failed to connect to 192.168.1.112 port 8888: Connection timed out
It seems like the request is not well forwarded to the bridge interface.
Below is the complete list of iptables rules on host-112:
# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i my_br0 -p tcp -m tcp --sport 8000 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i my_br0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A POSTROUTING -s 172.19.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o my_br0 -p tcp -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A DOCKER -i docker0 -j RETURNo
# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
# iptables -S -t raw
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
# iptables -S -t security
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Do you know what can I do to make it work?
