With firewalld, all docker containers that are listening on 0.0.0.0:PORT are exposed to the outside
idc77 opened this issue · comments
cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
dnf info firewalld
Last metadata expiration check: 1:39:33 ago on Mon 13 May 2024 05:54:03 PM CEST.
Installed Packages
Name : firewalld
Version : 1.3.4
Release : 1.el9
Architecture : noarch
Size : 2.0 M
Source : firewalld-1.3.4-1.el9.src.rpm
Repository : @System
From repo : baseos
Summary : A firewall daemon with D-Bus interface providing a dynamic firewall
URL : http://www.firewalld.org
License : GPLv2+
Description : firewalld is a firewall service daemon that provides a dynamic customizable
: firewall with a D-Bus interface.
dnf info docker-ce
Last metadata expiration check: 1:40:29 ago on Mon 13 May 2024 05:54:03 PM CEST.
Installed Packages
Name : docker-ce
Epoch : 3
Version : 26.1.2
Release : 1.el9
Architecture : x86_64
Size : 104 M
Source : docker-ce-26.1.2-1.el9.src.rpm
Repository : @System
From repo : docker-ce-stable
Summary : The open-source application container engine
URL : https://www.docker.com
License : ASL 2.0
Description : Docker is a product for you to build, ship and run any application as a
: lightweight container.
:
: Docker containers are both hardware-agnostic and platform-agnostic. This means
: they can run anywhere, from your laptop to the largest cloud compute instance
: and everything in between - and they don't require you to use a particular
: language, framework or packaging system. That makes them great building blocks
: for deploying and scaling web apps, databases, and backend services without
: depending on a particular stack or provider.
May 13 19:08:40 my.server.tld systemd[1]: Starting firewalld - dynamic firewall daemon...
May 13 19:08:40 my.server.tld systemd[1]: Started firewalld - dynamic firewall daemon.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.10 (nf_tables): Chain 'DOCKER' d>
Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.8.10 (nf_tables): >
Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.10 (nf_tables): Chain 'DOCKER' does >
Try `iptables -h' or 'iptables --help' for more information.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
May 13 19:08:42 my.server.tld firewalld[727]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
All docker containers listening on 0.0.0.0:PORT are accessible from the outside via servername:PORT
# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-07d0391e2b4b docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports: 22022/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
port=22:proto=tcp:toport=2222:toaddr=
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="123.127.10.215" reject
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d5d8a3fde475 ghcr.io/goauthentik/server:2024.4.2 "dumb-init -- ak wor…" 4 days ago Up 30 minutes (healthy) authentik-worker-1
b9d3472af44d ghcr.io/goauthentik/server:2024.4.2 "dumb-init -- ak ser…" 4 days ago Up 30 minutes (healthy) 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp authentik-server-1
12232c4f4328 redis:alpine "docker-entrypoint.s…" 4 days ago Up 30 minutes (healthy) 6379/tcp authentik-redis-1
cf3539d22be5 local_discourse/redacted "/sbin/boot" 3 months ago Up 30 minutes 0.0.0.0:3280->80/tcp, :::3280->80/tcp redacted
# ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 2000 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=2528,fd=8))
LISTEN 0 128 0.0.0.0:22022 0.0.0.0:* users:(("sshd",pid=767,fd=3))
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=2155,fd=105))
LISTEN 0 4096 0.0.0.0:3280 0.0.0.0:* users:(("docker-proxy",pid=2075,fd=4))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=976,fd=42),("nginx",pid=975,fd=42),("nginx",pid=974,fd=42),("nginx",pid=972,fd=42),("nginx",pid=971,fd=42),("nginx",pid=969,fd=42),("nginx",pid=968,fd=42),("nginx",pid=966,fd=42),("nginx",pid=965,fd=42),("nginx",pid=964,fd=42),("nginx",pid=963,fd=42))
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=976,fd=40),("nginx",pid=975,fd=40),("nginx",pid=974,fd=40),("nginx",pid=972,fd=40),("nginx",pid=971,fd=40),("nginx",pid=969,fd=40),("nginx",pid=968,fd=40),("nginx",pid=966,fd=40),("nginx",pid=965,fd=40),("nginx",pid=964,fd=40),("nginx",pid=963,fd=40))
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* users:(("mysqld",pid=2155,fd=21))
LISTEN 0 2000 172.17.0.1:5432 0.0.0.0:* users:(("postgres",pid=2528,fd=9))
LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:* users:(("mongod",pid=871,fd=14))
LISTEN 0 4096 0.0.0.0:9000 0.0.0.0:* users:(("docker-proxy",pid=2126,fd=4))
LISTEN 0 4096 0.0.0.0:9443 0.0.0.0:* users:(("docker-proxy",pid=1963,fd=4))
LISTEN 0 50 *:37605 *:* users:(("java",pid=7817,fd=288))
LISTEN 0 4096 *:4545 *:* users:(("blogsql",pid=2790,fd=7))
LISTEN 0 128 [::]:22022 [::]:* users:(("sshd",pid=767,fd=4))
LISTEN 0 50 [::ffff:127.0.0.1]:37741 *:* users:(("java",pid=7817,fd=314))
LISTEN 0 4096 [::ffff:127.0.0.1]:4001 *:* users:(("java",pid=7817,fd=316))
LISTEN 0 4096 *:2222 *:* users:(("gitea",pid=3076,fd=16))
LISTEN 0 4096 [::]:3280 [::]:* users:(("docker-proxy",pid=2088,fd=4))
LISTEN 0 2000 [::1]:5432 [::]:* users:(("postgres",pid=2528,fd=7))
LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=976,fd=43),("nginx",pid=975,fd=43),("nginx",pid=974,fd=43),("nginx",pid=972,fd=43),("nginx",pid=971,fd=43),("nginx",pid=969,fd=43),("nginx",pid=968,fd=43),("nginx",pid=966,fd=43),("nginx",pid=965,fd=43),("nginx",pid=964,fd=43),("nginx",pid=963,fd=43))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=976,fd=41),("nginx",pid=975,fd=41),("nginx",pid=974,fd=41),("nginx",pid=972,fd=41),("nginx",pid=971,fd=41),("nginx",pid=969,fd=41),("nginx",pid=968,fd=41),("nginx",pid=966,fd=41),("nginx",pid=965,fd=41),("nginx",pid=964,fd=41),("nginx",pid=963,fd=41))
LISTEN 0 511 *:10500 *:* users:(("node /var/www/x",pid=1195,fd=20))
LISTEN 0 511 *:10400 *:* users:(("node /var/www/n",pid=1209,fd=20))
LISTEN 0 4096 [::]:9000 [::]:* users:(("docker-proxy",pid=2136,fd=4))
LISTEN 0 4096 [::]:9443 [::]:* users:(("docker-proxy",pid=1996,fd=4))
All *:PORT are correctly blocked
All docker-proxy 0.0.0.0:PORT are not blocked
sigh, can you transfer this issue to moby/moby?