Issue insulating docker containers

Ricardo Mendes asked:

I have a question, I have the following iptables config:

[[email protected] ~]# iptables -L INPUT --line-numbers -n
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  my_local_ip/32         0.0.0.0/0           
3    INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
4    INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
5    INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
6    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

however, if I telnet to this machine from a random, let’s say for example this was from a DNS server to this server, I can still get through.

[[email protected] ~]# telnet server.com 3306
Trying server.com...
Connected to server.com.
Escape character is '^]'.
X
5.5.5-10.2.8-MariaDB    =wbeV^Th???3`[email protected]_native_password
^C
Connection closed by foreign host.
[[email protected] ~]# 

port 3306 is bind from a docker container to the host machine using the ‘-p 3306:3306’ flag.

Why is this?
I have a feeling all servers I have with docker installed via dockers’ sh script are all open, bc I just recently found out that this installation breaks firewalld completely.

My answer:


You can get through because you specifically EXPOSEd that port to the Internet using docker run -p.

Docker creates the necessary iptables rules (which are not in the INPUT chain, so looking there is pointless) to cause this traffic to reach your container.

You MUST NOT expose ports which you do not want reachable from outside the host.

To create a setup with multiple containers that talk to each other privately, use docker-compose.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.