Mitigate hosts on LAN from routing to Docker container via published port on `127.0.0.1`? #1128

polarathene · 2023-05-23T23:39:52Z

polarathene
May 23, 2023

As shared in another discussion, firewalld docker zone prevents neighbour hosts on a LAN from routing to those private network ranges directly, but it's still possible to route to the docker hosts private loopback 127.0.0.1 published port, even when that is the only interface ports are published to (eg: -p 127.0.0.1:80:8080).

Is there a rule that can be added to prevent this? Since it only works for the published ports on Docker, I assume it's something to do with the iptables rules it sets, but firewalld seems to have precedence? How would you add a rule that prevents a neighbour host on the LAN accessing docker hosts 127.0.0.1?

Answered by polarathene

May 23, 2023

Possible solution (not firewalld specific)

Is it this an issue due to the PREROUTING nat chain with DNAT? It seems to be possible to resolve by modifying that Docker created iptables rule:

# Avoid appling DNAT rules too early when destination is `127.0.0.1` (delay until OUTPUT chain):
# https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables/579242#579242
iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER ! -d 127.0.0.1

Now connections from a host on the LAN fail to route to 127.0.0.1, while the docker host can still connect successfully.

I assume 127.0.0.1 …

View full answer

polarathene · 2023-05-23T23:40:10Z

polarathene
May 23, 2023
Author

Possible solution (not firewalld specific)

Is it this an issue due to the PREROUTING nat chain with DNAT? It seems to be possible to resolve by modifying that Docker created iptables rule:

# Avoid appling DNAT rules too early when destination is `127.0.0.1` (delay until OUTPUT chain):
# https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables/579242#579242
iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER ! -d 127.0.0.1

Now connections from a host on the LAN fail to route to 127.0.0.1, while the docker host can still connect successfully.

I assume 127.0.0.1 was affected regardless of zone it was placed in because of this PREROUTING rule that would apply a DNAT (while a similar OUTPUT chain rule does the same at a later stage), while the docker networks in the 172.16.0.0/12 range with container ports instead just rely on the FORWARD chain rules matching a published port (but easily mitigated thanks to the docker firewalld zone).

I am not sure if the PREROUTING change would cause any issues, but I'll try discuss that with moby devs. I assume firewalld could add it's own rule / prevention that has priority over rules added by software like Docker?

1 reply

polarathene May 25, 2023
Author

Upstream issue for Docker raised: moby/moby#45610

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mitigate hosts on LAN from routing to Docker container via published port on `127.0.0.1`? #1128

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Mitigate hosts on LAN from routing to Docker container via published port on 127.0.0.1? #1128

polarathene May 23, 2023

Possible solution (not firewalld specific)

Replies: 1 comment · 1 reply

polarathene May 23, 2023 Author

Possible solution (not firewalld specific)

polarathene May 25, 2023 Author

Mitigate hosts on LAN from routing to Docker container via published port on `127.0.0.1`? #1128

polarathene
May 23, 2023

Replies: 1 comment 1 reply

polarathene
May 23, 2023
Author

polarathene May 25, 2023
Author