Service accessible via container IP but not via host IP even when port mapping is done

[sakshiarora13]

Description

I am trying to create a nerdctl local registry on my setup.
The registry which is running on port 5000 inside the container is mapped to port 5001 of my host.
I am able to access registry with container IP but not with host IP even when mapping is done correctly.

containers running:

container details, nerdctl inspect omnia-registry :

registry details via container IP:

when trying to access registry via host IP/name:

port mapping:

ufw status:

What can be the issue here?

Steps to reproduce the issue

1. Created a service file for nerdctl-registry:
   cat /etc/systemd/system/nerdctl-registry.service

[Unit]
Description=Nerdctl Registry

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/omnia/nerdctl-registry
ExecStart=/bin/bash nerdctl-registry start
ExecStop=/bin/bash nerdctl-registry stop

[Install]
WantedBy=default.target

3. cat /opt/omnia/nerdctl-registry/nerdctl-registry

#!/bin/bash

nerdctl_command=$1
if [ $nerdctl_command = "start" ]; then
    nerdctl_ps_result=$(nerdctl ps -a | grep "omnia-registry")
    if [ -z $nerdctl_ps_result ]; then
        nerdctl run -d -p 5001:5000 --restart=always --name omnia-registry \
          -v /opt/omnia/nerdctl-registry/images:/data \
          -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data \
          -v /opt/omnia/nerdctl-registry/certs:/certs \
          -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
          -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
          registry:2
    else
        nerdctl start omnia-registry
    fi
elif [ $nerdctl_command = "stop" ]; then
    nerdctl rm -f omnia-registry
else
    echo "The parameter is wrong."
fi

3. Create certificates for registry
   

4. systemctl start nerdctl-registry

Describe the results you received and expected

Registry should be accessible at HostIP:5001

What version of nerdctl are you using?

root@monsooncp:~# nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
Version: v1.5.0
OS/Arch: linux/amd64
Git commit: b33a58f
buildctl:
Version:

Server:
containerd:
Version: 1.6.16
GitCommit: 31aa4358a36870b21a992d3ad2bef29e1d693bec
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Others

Host information

root@monsooncp:~# nerdctl info
Client:
Namespace: default
Debug Mode: false

Server:
Server Version: 1.6.16
Storage Driver: overlayfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Log: fluentd journald json-file syslog
Storage: aufs native overlayfs
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.4.0-176-generic
Operating System: Ubuntu 20.04.6 LTS
OSType: linux
Architecture: x86_64
CPUs: 48
Total Memory: 125.4GiB
Name: monsooncp.monsoon.test
ID: c2878b4c-63e9-4048-8f6d-a91534c6080d

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

[Shubhranshu153]

what does the following net commands show on host.

 ip route show
 iptables -S
 netstat -tuln

And wondering does changing the ip to localhost works for you?

[fahedouch]

traffic should be translated by a dnat rule and then routed to the bridge and then container socket
as @Shubhranshu153 mentioned the output of these two commands will be very helpful :

iptables -t nat -v -n -L
route