Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Developer Tools
Localhost Bridge
Bridge Docker containers to host localhost services via socat. Solves the #1 networking issue in containerized AI agent deployments: containers can't reach s...
skill openclawclawhub Free
Bridge Docker containers to host localhost services via socat. Solves the #1 networking issue in containerized AI agent deployments: containers can't reach s...
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 2.0.0
Provenance
- Publisher
- superWorldSavior
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
โ ๏ธ Security & Privileges
This skill requires host-level privileges. It must be reviewed and executed manually by an administrator โ never autonomously by an agent. What it does on the host: Creates a systemd service (persistent across reboots) that forwards traffic from a Docker bridge IP to localhost Adds a UFW firewall rule scoped to a specific Docker bridge interface Requires sudo, Docker daemon access, and socat from your distro's official package repository Before running any command: Review the generated /etc/systemd/system/socat-<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>.service file โ confirm ExecStart binds only to the intended Docker bridge IP (172.x.x.1), never 0.0.0.0 Review the UFW rule โ confirm it targets the correct br-<ID> interface and port After setup, verify the port is NOT reachable from the public network: curl --connect-timeout 2 http://<PUBLIC_IP>:<PORT>/ must fail Test from inside a container before deploying widely Do not grant an automated agent permissions to run these commands without human approval.
The Problem
A service on the host listens on 127.0.0.1 (AI gateway, MCP server, Ollama, database...). A Docker container needs to reach it. localhost inside the container points to the container itself, not the host. Requests either timeout silently (firewall drops packets) or get connection refused.
The Solution
socat listens on the Docker bridge gateway IP and forwards to host loopback. Combined with a scoped firewall rule, this gives containers access without exposing the service externally.
1. Find the Docker bridge gateway IP
# For a specific container docker inspect <container_name> --format '{{json .NetworkSettings.Networks}}' \ | python3 -c " import json,sys d = json.load(sys.stdin) for net, info in d.items(): print(f'{net}: gateway={info[\"Gateway\"]}')"
2. Create a systemd service
Replace <GATEWAY_IP>, <PORT>, <SOURCE_NETWORK>, and <TARGET_SERVICE> with your values. Naming convention: socat-<source_network>-<target_service>-<port> โ source network is the Docker network (consumer), target service is the host service. Self-documenting. Examples: socat-bridge-gateway-18789, socat-windmill_default-gateway-18789, socat-bridge-ollama-11434 Review the ExecStart line before enabling โ confirm it binds to the Docker bridge IP only. sudo tee /etc/systemd/system/socat-<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>.service > /dev/null << 'EOF' [Unit] Description=Socat bridge: <SOURCE_NETWORK> -> <TARGET_SERVICE>:<PORT> After=network.target docker.service [Service] Type=simple ExecStart=/usr/bin/socat TCP-LISTEN:<PORT>,bind=<GATEWAY_IP>,fork,reuseaddr TCP:127.0.0.1:<PORT> Restart=always RestartSec=5 [Install] WantedBy=multi-user.target EOF # Review the file before enabling: cat /etc/systemd/system/socat-<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>.service sudo systemctl daemon-reload sudo systemctl enable --now socat-<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>
3. Add firewall rule (MANDATORY)
Without this, socat listens but packets from the container are silently dropped โ causing 30-second timeouts with no error. Review the bridge ID before applying โ a wrong ID can expose services. # Find the Linux bridge interface for the Docker network BRIDGE_ID=$(docker network inspect <network_name> --format '{{.Id}}' | cut -c1-12) # Verify this is the right bridge ip link show br-${BRIDGE_ID} # Allow traffic only on that bridge interface sudo ufw allow in on br-${BRIDGE_ID} to any port <PORT> proto tcp comment "<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>"
4. Verify security
# MUST succeed (from inside a container) docker exec <container_name> curl -s --connect-timeout 5 http://<GATEWAY_IP>:<PORT>/ # MUST fail (from the public network) curl --connect-timeout 2 http://<PUBLIC_IP>:<PORT>/
Multi-Network Workers
A container can be on multiple Docker networks. Each has its own bridge IP. You need a socat instance + firewall rule for each network the container uses. In practice, one network is usually enough. Check all networks: docker inspect <container> --format '{{json .NetworkSettings.Networks}}'
Common Use Cases
Host serviceContainer clientDefault portAI gateway (OpenClaw, LiteLLM)Workflow orchestrator (Windmill, n8n)18789MCP serverDockerized agentvariesOllamaRAG pipeline, agent11434PostgreSQLAPI server5432RedisAny containerized app6379
Troubleshooting
SymptomCauseFix30s timeout, no errorFirewall dropping packetsAdd UFW rule on the bridge interfaceConnection refusedsocat not runningsystemctl status socat-<SOURCE_NETWORK>-<TARGET_SERVICE>-<PORT>Works then stops after Docker restartBridge IP changedCheck new gateway IP, update socat bindsocat won't start after rebootDocker not readyEnsure After=docker.service in unit file
Alternatives
Depending on your security posture, consider: Docker host networking (network_mode: host) โ simpler but removes all container network isolation Running socat inside a minimal privileged container โ avoids host-level systemd changes Configuring the host service to bind to the Docker bridge IP directly โ no socat needed, but the service must support custom bind addresses host.docker.internal (Docker Desktop) โ works on Mac/Windows, not reliably on Linux
Prerequisites
Install socat from your distro's official package repository: sudo apt-get install -y socat # Debian/Ubuntu sudo dnf install -y socat # Fedora/RHEL
References
Blog post: The Localhost Trap โ why this problem exists and why it matters for AI infrastructure Source: Casys-AI/casys-pml-cloud Docker docs: Packet filtering and firewalls
Category context
Code helpers, APIs, CLIs, browser automation, testing, and developer operations.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md