Mitigate hosts on LAN from routing to Docker container via published port on 127.0.0.1
?
#1128
-
As shared in another discussion, firewalld Is there a rule that can be added to prevent this? Since it only works for the published ports on Docker, I assume it's something to do with the |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Possible solution (not firewalld specific)Is it this an issue due to the # Avoid appling DNAT rules too early when destination is `127.0.0.1` (delay until OUTPUT chain):
# https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables/579242#579242
iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER ! -d 127.0.0.1 Now connections from a host on the LAN fail to route to I assume I am not sure if the |
Beta Was this translation helpful? Give feedback.
Possible solution (not firewalld specific)
Is it this an issue due to the
PREROUTING
nat chain with DNAT? It seems to be possible to resolve by modifying that Docker creatediptables
rule:Now connections from a host on the LAN fail to route to
127.0.0.1
, while the docker host can still connect successfully.I assume
127.0.0.1
…