Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With firewalld, all docker containers that are listening on 0.0.0.0:PORT are exposed to the outside #2682

Open
idc77 opened this issue May 13, 2024 · 1 comment
Open

With firewalld, all docker containers that are listening on 0.0.0.0:PORT are exposed to the outside #2682

idc77 opened this issue May 13, 2024 · 1 comment

Comments

@idc77
Copy link

idc77 commented May 13, 2024
edited 

cat /etc/os-release 
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

dnf info firewalld

Last metadata expiration check: 1:39:33 ago on Mon 13 May 2024 05:54:03 PM CEST.
Installed Packages
Name         : firewalld
Version      : 1.3.4
Release      : 1.el9
Architecture : noarch
Size         : 2.0 M
Source       : firewalld-1.3.4-1.el9.src.rpm
Repository   : @System
From repo    : baseos
Summary      : A firewall daemon with D-Bus interface providing a dynamic firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic customizable
             : firewall with a D-Bus interface.

dnf info docker-ce
Last metadata expiration check: 1:40:29 ago on Mon 13 May 2024 05:54:03 PM CEST.
Installed Packages
Name         : docker-ce
Epoch        : 3
Version      : 26.1.2
Release      : 1.el9
Architecture : x86_64
Size         : 104 M
Source       : docker-ce-26.1.2-1.el9.src.rpm
Repository   : @System
From repo    : docker-ce-stable
Summary      : The open-source application container engine
URL          : https://www.docker.com
License      : ASL 2.0
Description  : Docker is a product for you to build, ship and run any application as a
             : lightweight container.
             : 
             : Docker containers are both hardware-agnostic and platform-agnostic. This means
             : they can run anywhere, from your laptop to the largest cloud compute instance
             : and everything in between - and they don't require you to use a particular
             : language, framework or packaging system. That makes them great building blocks
             : for deploying and scaling web apps, databases, and backend services without
             : depending on a particular stack or provider.

May 13 19:08:40 my.server.tld systemd[1]: Starting firewalld - dynamic firewall daemon...
May 13 19:08:40 my.server.tld systemd[1]: Started firewalld - dynamic firewall daemon.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.10 (nf_tables): Chain 'DOCKER' d>
                                           Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.8.10 (nf_tables): >
                                           Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.10 (nf_tables): Chain 'DOCKER' does >
                                           Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

All docker containers listening on 0.0.0.0:PORT are accessible from the outside via servername:PORT

# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-07d0391e2b4b docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client http https ssh
  ports: 22022/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
	port=22:proto=tcp:toport=2222:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="123.127.10.215" reject

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# docker ps
CONTAINER ID   IMAGE                                 COMMAND                  CREATED        STATUS                    PORTS                                                                                  NAMES
d5d8a3fde475   ghcr.io/goauthentik/server:2024.4.2   "dumb-init -- ak wor…"   4 days ago     Up 30 minutes (healthy)                                                                                          authentik-worker-1
b9d3472af44d   ghcr.io/goauthentik/server:2024.4.2   "dumb-init -- ak ser…"   4 days ago     Up 30 minutes (healthy)   0.0.0.0:9000->9000/tcp, :::9000->9000/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp   authentik-server-1
12232c4f4328   redis:alpine                          "docker-entrypoint.s…"   4 days ago     Up 30 minutes (healthy)   6379/tcp                                                                               authentik-redis-1
cf3539d22be5   local_discourse/redacted             "/sbin/boot"             3 months ago   Up 30 minutes             0.0.0.0:3280->80/tcp, :::3280->80/tcp                                                  redacted

# ss -tnlp
State          Recv-Q          Send-Q                        Local Address:Port                    Peer Address:Port         Process                                                                                                                      
LISTEN         0               2000                              127.0.0.1:5432                         0.0.0.0:*             users:(("postgres",pid=2528,fd=8))                                                                                          
LISTEN         0               128                                 0.0.0.0:22022                        0.0.0.0:*             users:(("sshd",pid=767,fd=3))                                                                                               
LISTEN         0               151                               127.0.0.1:3306                         0.0.0.0:*             users:(("mysqld",pid=2155,fd=105))                                                                                          
LISTEN         0               4096                                0.0.0.0:3280                         0.0.0.0:*             users:(("docker-proxy",pid=2075,fd=4))                                                                                      
LISTEN         0               511                                 0.0.0.0:443                          0.0.0.0:*             users:(("nginx",pid=976,fd=42),("nginx",pid=975,fd=42),("nginx",pid=974,fd=42),("nginx",pid=972,fd=42),("nginx",pid=971,fd=42),("nginx",pid=969,fd=42),("nginx",pid=968,fd=42),("nginx",pid=966,fd=42),("nginx",pid=965,fd=42),("nginx",pid=964,fd=42),("nginx",pid=963,fd=42))
LISTEN         0               511                                 0.0.0.0:80                           0.0.0.0:*             users:(("nginx",pid=976,fd=40),("nginx",pid=975,fd=40),("nginx",pid=974,fd=40),("nginx",pid=972,fd=40),("nginx",pid=971,fd=40),("nginx",pid=969,fd=40),("nginx",pid=968,fd=40),("nginx",pid=966,fd=40),("nginx",pid=965,fd=40),("nginx",pid=964,fd=40),("nginx",pid=963,fd=40))
LISTEN         0               70                                127.0.0.1:33060                        0.0.0.0:*             users:(("mysqld",pid=2155,fd=21))                                                                                           
LISTEN         0               2000                             172.17.0.1:5432                         0.0.0.0:*             users:(("postgres",pid=2528,fd=9))                                                                                          
LISTEN         0               4096                              127.0.0.1:27017                        0.0.0.0:*             users:(("mongod",pid=871,fd=14))                                                                                            
LISTEN         0               4096                                0.0.0.0:9000                         0.0.0.0:*             users:(("docker-proxy",pid=2126,fd=4))                                                                                      
LISTEN         0               4096                                0.0.0.0:9443                         0.0.0.0:*             users:(("docker-proxy",pid=1963,fd=4))                                                                                      
LISTEN         0               50                                        *:37605                              *:*             users:(("java",pid=7817,fd=288))                                                                                            
LISTEN         0               4096                                      *:4545                               *:*             users:(("blogsql",pid=2790,fd=7))                                                                                           
LISTEN         0               128                                    [::]:22022                           [::]:*             users:(("sshd",pid=767,fd=4))                                                                                               
LISTEN         0               50                       [::ffff:127.0.0.1]:37741                              *:*             users:(("java",pid=7817,fd=314))                                                                                            
LISTEN         0               4096                     [::ffff:127.0.0.1]:4001                               *:*             users:(("java",pid=7817,fd=316))                                                                                            
LISTEN         0               4096                                      *:2222                               *:*             users:(("gitea",pid=3076,fd=16))                                                                                            
LISTEN         0               4096                                   [::]:3280                            [::]:*             users:(("docker-proxy",pid=2088,fd=4))                                                                                      
LISTEN         0               2000                                  [::1]:5432                            [::]:*             users:(("postgres",pid=2528,fd=7))                                                                                          
LISTEN         0               511                                    [::]:443                             [::]:*             users:(("nginx",pid=976,fd=43),("nginx",pid=975,fd=43),("nginx",pid=974,fd=43),("nginx",pid=972,fd=43),("nginx",pid=971,fd=43),("nginx",pid=969,fd=43),("nginx",pid=968,fd=43),("nginx",pid=966,fd=43),("nginx",pid=965,fd=43),("nginx",pid=964,fd=43),("nginx",pid=963,fd=43))
LISTEN         0               511                                    [::]:80                              [::]:*             users:(("nginx",pid=976,fd=41),("nginx",pid=975,fd=41),("nginx",pid=974,fd=41),("nginx",pid=972,fd=41),("nginx",pid=971,fd=41),("nginx",pid=969,fd=41),("nginx",pid=968,fd=41),("nginx",pid=966,fd=41),("nginx",pid=965,fd=41),("nginx",pid=964,fd=41),("nginx",pid=963,fd=41))
LISTEN         0               511                                       *:10500                              *:*             users:(("node /var/www/x",pid=1195,fd=20))                                                                                  
LISTEN         0               511                                       *:10400                              *:*             users:(("node /var/www/n",pid=1209,fd=20))                                                                                  
LISTEN         0               4096                                   [::]:9000                            [::]:*             users:(("docker-proxy",pid=2136,fd=4))                                                                                      
LISTEN         0               4096                                   [::]:9443                            [::]:*             users:(("docker-proxy",pid=1996,fd=4))

All *:PORT are correctly blocked
All docker-proxy 0.0.0.0:PORT are not blocked
@idc77
Copy link
Author

idc77 commented May 13, 2024

sigh, can you transfer this issue to moby/moby?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@idc77