-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker stack creates permissive iptables port filtering rules on exposed ports #38259
Comments
This is working as expected. In the spec you asked docker to expose the port, so the ingress rule is created. The "docker run" rule is effectively the same as anywhere to anywhere, the main difference being that there is a special rule to handle traffic originating from the docker0 bridge interface (due to past issues with hairpin nat). Why do you say this is related to the issue on the forwarding policy (which is no longer an issue)? |
It seems related because it involves similar problems with iptables. I understand that the rule allows the desired behaviour, but it is too permissive, which could have security implications. It doesn't seem like desired behaviuor to me as there is an explicit drop of |
So your issue is that setting up ingress is not granular enough? |
Yes |
Seems like a duplicate of #22054? |
It looks different to me. #22054 is the stock execution path, this issue seems specific to From what I gather, the other issue is concerned that exposed ports are accessible on all network interfaces, rather than local interfaces. The concern in this issue is that other targets behind a docker host will be accessible other than the container that sets up the exposed port. |
No worries. 😄 |
@jmcfadyen-ge I think they may be closely related. Solve #22054 and you'll likely solve this one too. That said, I'm not sure the docker folks are really looking to solve the issue since I reported that one back in 2016 and it's been over 3 years with no real resolution. Hopefully this will bring some additional light to the issue and help get a proper solution in. Yes, there's been a couple solutions offered, but they're not really solutions since they require the user to be intimately familiar with Iptables instead of having docker just do the right thing. |
Description
When a container is brought up with an exposed port via docker stack, an iptables rule is created to grant access to the port. The firewall rule created is an anywhere to anywhere over the exposed port number.
This opens up the same port to every interface that can be routed to through the root namespace.
This issue seems to be the same as #14041, but with docker stack.
Steps to reproduce the issue:
docker stack deploy -c docker-compose.yml test
with the following compose file:iptables -nL
and see that theDOCKER-INGRESS
chain opens the port from anywhere to anywhere.Describe the results you received:
Describe the results you expected:
Performing the same function with:
docker run --rm -p 1234:1234 alpine sleep 1000
The following rule is created in the more restricted
DOCKER
chain with a specific destination:Output of
docker version
:Output of
docker info
:The text was updated successfully, but these errors were encountered: