Ubuntu 22.04: docker: containers not accessible from outside

having a fresh off the shelf Ubuntu 22.04 installation and installed docker according the book.

I also spinned up three containers using docker-compose and they show fine using docker ps.

CONTAINER ID   IMAGE                             COMMAND                  CREATED          STATUS                   PORTS                                                                                  NAMES60cf25f59a92   jc21/nginx-proxy-manager:latest   "/init"                  48 minutes ago   Up 8 minutes             0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   infra_nginx_proxy_1f8081b137abf   graylog/graylog:4.2               "tini -- /docker-ent…"   55 minutes ago   Up 8 minutes (healthy)   0.0.0.0:1514->1514/tcp, :::1514->1514/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp   infra_graylog_1d3fef3332752   elasticsearch:7.9.3               "/tini -- /usr/local…"   55 minutes ago   Up 8 minutes             9200/tcp, 9300/tcp                                                                     infra_elasticsearch_16b7920e89790   mongo:4.4.9                       "docker-entrypoint.s…"   56 minutes ago   Up 8 minutes             27017/tcp                                                                              infra_mongo_db_1

Now, when trying to curl one of the locally, all fine

root$: curl http://localhost:81<!doctype html><html lang="en" dir="ltr"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1">...

But the same curl (against the public IP of course) ends in timeout.

Doing tcpdump on the docker host reveals this, traffic is arriving

root$: tcpdump port 81tcpdump: verbose output suppressed, use -v[v]... for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes19:53:34.520888 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217328475 ecr 0,nop,wscale 7], length 019:53:35.535503 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217329490 ecr 0,nop,wscale 7], length 019:53:37.551436 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217331506 ecr 0,nop,wscale 7], length 019:53:41.775510 IP 10.0.1.27.51942 > docker-infrastruktur.81: Flags [S], seq 1942358053, win 64240, options [mss 1460,sackOK,TS val 1217335730 ecr 0,nop,wscale 7], length 0

iptables - all docker generated - look like this

sudo iptables --listChain INPUT (policy ACCEPT)target     prot opt source               destination         Chain FORWARD (policy DROP)target     prot opt source               destination         DOCKER-USER  all  --  anywhere             anywhere            DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDDOCKER     all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDDOCKER     all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         Chain DOCKER (2 references)target     prot opt source               destination         ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:httpsACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:81ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:httpACCEPT     tcp  --  anywhere             172.18.0.5           tcp dpt:9000ACCEPT     tcp  --  anywhere             172.18.0.5           tcp dpt:1514Chain DOCKER-ISOLATION-STAGE-1 (1 references)target     prot opt source               destination         DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            RETURN     all  --  anywhere             anywhere            Chain DOCKER-ISOLATION-STAGE-2 (2 references)target     prot opt source               destination         DROP       all  --  anywhere             anywhere            DROP       all  --  anywhere             anywhere            RETURN     all  --  anywhere             anywhere            Chain DOCKER-USER (1 references)target     prot opt source               destination         RETURN     all  --  anywhere             anywhere            

And even nmap shows that all doors are open

root$: sudo nmap localhostStarting Nmap 7.80 ( https://nmap.org ) at 2022-08-12 19:56 UTCNmap scan report for localhost (127.0.0.1)Host is up (0.000013s latency).Not shown: 995 closed portsPORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http81/tcp   open  hosts2-ns443/tcp  open  https9000/tcp open  cslistener

Interestingly, when spinning up a local webserver, e.g. with python3 -m http.server 81 it spins up (after having shut down the containers) and it is reachable. So an issue with external firewall or even the host operating system I can quite of nail out...

Please help and advice..