How to prevent remote access in iptables

polymath asked:

I have iptables set up with docker-compose but my whitelisting of only the ip addresses I want doesn’t seem to be working as the server is still getting remote access attempts:

Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL:  password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL:  Role "postgres" does not exist.

How can I fix my iptables to be setup correctly? What have I done wrong here?

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

EDIT:

Here is my docker-compose config:

  postgres:
    image: "postgres:12.1"
    env_file:
      - '.env'
    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - postgres:/var/lib/postgresql/data
      - /opt/ghost_postgres:/var/lib/postgres
    networks: 
      - esnet

  redis:
    image: redis:5.0.6-alpine
    command: redis-server --requirepass "${REDIS_PASS}"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    ports:
      - '6379:6379'
    volumes:
      - redis:/var/lib/redis/data
    networks: 
      - esnet


  prosebit:
    build: 
      context: "."
      args:
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    ports:
      - "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - esnet
      
  web: 
    depends_on:
      - prosebit
    restart: always
    build:
      context: ../nginx #added /deploy for development, remove for production
      dockerfile: Dockerfile
    volumes:
      ...
    ports:
      - 80:80
      - 443:443
    networks:
      - "esnet"


  celery:
    build: 
      context: "."
      args: 
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    command: celery worker -B -l info -A 
    env_file:
      - '.env'
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - "esnet"

My answer:


Docker opens the port in the firewall itself, because your docker-compose.yml explicitly requests the port 5432 to be exposed to the world.

    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

It’s not clear why this is here at all, in any form. Remember that services in the same network can always access each other and do not need ports specified. Only specify ports to allow access from outside.

PS: You’ve also exposed your redis container to the world, which is probably also not what you want.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.