Ricardo Mendes asked:
I have a question, I have the following iptables config:
[[email protected] ~]# iptables -L INPUT --line-numbers -n Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 ACCEPT all -- my_local_ip/32 0.0.0.0/0 3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 6 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
however, if I telnet to this machine from a random, let’s say for example this was from a DNS server to this server, I can still get through.
[[email protected] ~]# telnet server.com 3306 Trying server.com... Connected to server.com. Escape character is '^]'. X 5.5.5-10.2.8-MariaDB =wbeV^Th???3`[email protected]_native_password ^C Connection closed by foreign host. [[email protected] ~]#
port 3306 is bind from a docker container to the host machine using the ‘-p 3306:3306’ flag.
Why is this?
I have a feeling all servers I have with docker installed via dockers’ sh script are all open, bc I just recently found out that this installation breaks firewalld completely.
You can get through because you specifically EXPOSEd that port to the Internet using
docker run -p.
Docker creates the necessary iptables rules (which are not in the INPUT chain, so looking there is pointless) to cause this traffic to reach your container.
You MUST NOT expose ports which you do not want reachable from outside the host.
To create a setup with multiple containers that talk to each other privately, use docker-compose.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.