New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker bypasses NixOS firewall exposing ports on the external interface #111852
Comments
I recommend using the podman backend for oci-containers instead. This will honour firewall rules. |
@adisbladis I agree that using podman is the preferred solution. To resolve this particular bug either Docker needs to be removed as an |
@pjones I think I thought it's going to be a "wontfix", but it doesn't warrant closing of the issue, in hindsight. |
I've worked around this using
This allows traffic originating from container to work but connectivity from outside is filtered. I'm a total nixos newbie but having something similar by default when firewall is enabled and docker installed and adding rules based on some options etc would allow people to use docker safely? |
Could someone add a severity:security label? This could be really bad if someone is unaware that they're exposing something externally |
I had the same issue using the podman backend. Are you sure that podman works properly? |
This seems to be an issue with
|
Just want to add that I believe you can disable this behavior by instructing the docker daemon not to manage iptables. This can be done by passing the following arguments to
In a
You can verify the additional flags have been passed via You may need to flush iptables rules to see this take effect, I believe that can be achieved by restarting. There may be another way to flush the rules without restarting but I'm not sure how to do this in NixOS. More info at: https://docs.docker.com/network/iptables/#prevent-docker-from-manipulating-iptables |
In the most common case, you don't even need to disable Docker's iptables integration or add custom config to your iptables - you can simpliy specify the port binding as |
No, this can fup container communcations, e.g. no internet/dns inside containers. |
I ran across this issue today - this is a problem which needs a solution, or at least a warning. The firewall is basically broken in certain situations, and if I didn't test access I would be unaware. @egasimus solution is valid but should not be required, the firewall should do its job. Has this issue really been open for ~18 months? |
Woah. This is a massive footgun. Maybe we should also add a warning message in the terminal if |
Potential solution here. Perhaps a toggle to add said rules is required: https://github.com/chaifeng/ufw-docker |
I just stumbled on this with podman which also exhibits this behaviour which is as design and in line with Docker and CNI: containers/podman#15623 The rules for this reside in the NAT iptables table (see https://www.cni.dev/plugins/current/meta/portmap/#dnat) instead of the FILTER table where Docker does its thing. The best solution seems to use explicit IP's in port mapping |
For me, it worked using |
The real Docker centric workaround for this is to use |
Disable iptables in docker daemon setting is the simplest workaround i think. |
https://docs.docker.com/network/packet-filtering-firewalls/ has a couple of different solutions for this. Setting Since I regularly use docker-compose, I additionally blocked external traffic in the Docker chain. networking.firewall.extraCommands = ''
iptables -N DOCKER-USER || true
iptables -F DOCKER-USER
iptables -A DOCKER-USER -i <external_iface> -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER-USER -i <external-if> -j DROP
iptables -A DOCKER-USER -j RETURN
''; |
Using
virtualisation.oci-containers.containers.<name>.ports
exposes ports on the external interface regardless of firewall settings.Docker injects its own firewall rules, bypassing the NixOS firewall.
To Reproduce
Configure a container and use the
ports
option:Expected behavior
Additional context
My
iptables
skills are lacking, but I think this rule, created by Docker, is the problem:This was brought up in 2018 via #40507 but it looks like GitHub has deleted some comments and it's not clear why the issue was closed.
Notify maintainers
@adisbladis@offlinehacker @tailhook @vdemeester @periklis
Metadata
"x86_64-linux"
Linux 5.9.16, NixOS, 20.09pre-git (Nightingale)
yes
yes
nix-env (Nix) 2.3.10
/nix/store/3p4q8xc5y9kr57ysmd0s2s20s174pg23-a058d005b3cbb370bf171ebce01839dd6ff52222.tar.gz
Maintainer information:
The text was updated successfully, but these errors were encountered: