Unable to expose external port 80 on a Fly machine

The connections seem to get stuck in the SYN_RECV state.

netstat output:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:58972 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:62250 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:58508 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:61570 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:62740 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:63436 SYN_RECV
tcp6       0      0 2604:1380:45f1:38:39306 2604:a880:800:10::https ESTABLISHED
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:62588 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:57436 SYN_RECV
tcp6       0      0 2604:1380:45f1:38:47312 2a05:d014:386::www-http ESTABLISHED
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:61820 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:59608 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:58070 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:63224 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:61350 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:60140 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:63700 SYN_RECV
tcp6       0      0 2604:1380:45f1:38:34394 2600:1f18:429f:93:https ESTABLISHED
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:59362 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:62290 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:61066 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:57632 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:58330 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:63666 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:60844 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:58740 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:57228 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:62470 SYN_RECV
tcp6       0      0 172.19.0.114:http-alt   worker-pkt-dc13-9:60414 SYN_RECV

tshark output on eth0:

 ** (tshark:10844) 19:55:58.587972 [Main MESSAGE] -- Capture started.
 ** (tshark:10844) 19:55:58.588022 [Main MESSAGE] -- File: "/tmp/wireshark_eth09UFVO1.pcapng"
    1 0.000000000 147.28.129.183 → 172.19.0.114 TCP 74 47292 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902033615 TSecr=0 WS=2048
    2 1.007899940 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47292 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902034623 TSecr=0 WS=2048
    3 2.027104247 147.28.129.183 → 172.19.0.114 TCP 74 47448 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902035642 TSecr=0 WS=2048
    4 3.055845517 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47448 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902036671 TSecr=0 WS=2048
    5 4.068429510 147.28.129.183 → 172.19.0.114 TCP 74 47610 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902037683 TSecr=0 WS=2048
    6 5.099868789 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47610 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902038715 TSecr=0 WS=2048
    7 6.171559627 147.28.129.183 → 172.19.0.114 TCP 74 47754 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902039786 TSecr=0 WS=2048
    8 7.184160111 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47754 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902040799 TSecr=0 WS=2048
    9 8.377188305 147.28.129.183 → 172.19.0.114 TCP 74 47928 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902041992 TSecr=0 WS=2048
   10 9.388081727 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47928 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902043003 TSecr=0 WS=2048
   11 10.606248099 147.28.129.183 → 172.19.0.114 TCP 74 48094 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902044221 TSecr=0 WS=2048
   12 11.628026954 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 48094 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902045243 TSecr=0 WS=2048
   13 13.132428181 147.28.129.183 → 172.19.0.114 TCP 74 48322 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902046747 TSecr=0 WS=2048
   14 14.155939314 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 48322 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902047771 TSecr=0 WS=2048
   15 16.134409735 147.28.129.183 → 172.19.0.114 TCP 74 48540 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902049749 TSecr=0 WS=2048
   16 17.167821593 147.28.129.183 → 172.19.0.114 TCP 74 [TCP Retransmission] [TCP Port numbers reused] 48540 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902050783 TSecr=0 WS=2048
   17 19.136562309 147.28.129.183 → 172.19.0.114 TCP 74 48980 → 8080 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=1902052752 TSecr=0 WS=2048

tshark output on dummy0

Running as user "root" and group "root". This could be dangerous.
Capturing on 'dummy0'
 ** (tshark:10877) 19:57:04.342028 [Main MESSAGE] -- Capture started.
 ** (tshark:10877) 19:57:04.342105 [Main MESSAGE] -- File: "/tmp/wireshark_dummy03OO0O1.pcapng"
    1 0.000000000 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 53012 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641639576 TSecr=1902091662 WS=128
    2 0.159993864 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 52478 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641639736 TSecr=1902088659 WS=128
    3 0.415990287 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 51828 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641639992 TSecr=1902079693 WS=128
    4 0.416004313 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 50414 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641639992 TSecr=1902064683 WS=128
    5 2.208293235 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 52020 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641641784 TSecr=1902082656 WS=128
    6 3.487973996 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 50664 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641643064 TSecr=1902067684 WS=128
    7 4.256360382 172.19.0.114 → 147.28.129.183 TCP 74 [TCP Retransmission] 8080 → 53012 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641643832 TSecr=1902091662 WS=128
    8 5.280360622 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 52246 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641644856 TSecr=1902085657 WS=128
    9 6.560348640 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 50912 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641646136 TSecr=1902070686 WS=128
   10 8.352358097 172.19.0.114 → 147.28.129.183 TCP 74 [TCP Retransmission] 8080 → 52478 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641647928 TSecr=1902088659 WS=128
   11 9.376357485 172.19.0.114 → 147.28.129.183 TCP 74 8080 → 51112 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1641648952 TSecr=1902073689 WS=128

The machine is listening on 8080 internally with 80 exposed for TCP
Machine ID: 3d8d379fe24689

These two tshark dumps make it look as if SYNs are arriving on eth0, but the ACKs are going out on dummy0. Does the container you’re running do anything interesting with host networking?

On my local test instance, I can’t even attach tcpdump to dummy0; the interface is down. What does ip a show you?