If you’re networking to the outside world, Docker behaves as if the request was coming from the host machine. But if you want to access processes that are running on the host, your firewall may need some extra configuration.
The Solution: Add a Firewall Rule for 172.18.0.0/16
If you’ve just tried to access a process running on the host machine like an HTTP service, you might have gotten blocked. This is because even though Docker containers run on the host, they use some special networking under the hood to keep them logically separated, and because of that they have different IP addresses.
You can see this when running
ifconfig, you’ll see your standard network interface, but also the
docker0 interface. By default, Docker uses the 172.18.0.0/16 block to allocate container IP addresses.
The fix is very simple—open this port range in your firewall. Requests from the IP range Docker uses are likely getting blocked. It’s a private IP address range, so there’s minimal risk in having it open. For UFW, that would be:
sudo ufw allow from 172.18.0.0/24
Optionally specifying a port to open:
sudo ufw allow from 172.18.0.0/24 to any port 9200
iptables, that would be:
iptables --append INPUT --protocol tcp --src 172.18.0.0/24 --jump DROP
For managed hosting services like AWS, you may not need to change anything—security groups are network firewalls that sit in front of instances, and shouldn’t affect internal traffic.