1

I have a Docker swarm cluster with a Prometheus container running on one node, Prometheus is configured to scrape all the Swarm nodes by their public IP addresses on port 9100 (Node exporter), all these IPs are collected dynamically.

I'm also using a basic iptables configuration like this on all the nodes:

# Accept loopback interface traffic
-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP traffic
-4 -A INPUT -p icmp -j ACCEPT
-6 -A INPUT -p icmpv6 -j ACCEPT

# Allow SSH traffic
-A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS traffic
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow all traffic from the swarm nodes
-A INPUT -s <OTHER_SWARM_NODE_IP> -j ACCEPT
-A INPUT -s <OTHER_SWARM_NODE_IP> -j ACCEPT
-A INPUT -s <OTHER_SWARM_NODE_IP> -j ACCEPT

# Also this host's public IP is listed here (Created dynamically)
-A INPUT -s <HOST_PUBLIC_IP> -j ACCEPT

# Set the default INPUT policy to DROP
-P INPUT DROP

Currently the Prometheus container cannot connect to the host that it's running on because of my iptables rules, I logged the dropped packets and here's what I got:

Jul 27 13:21:40 node01 kernel: [60855.199560] IPTables-Dropped: IN=docker_gwbridge OUT= PHYSIN=vethe5b3d1e MAC=<MAC_ADDR> SRC=172.18.0.9 DST=<PUBLIC_HOST_IP> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57363 DF PROTO=TCP SPT=52882 DPT=9100 WINDOW=29200 RES=0x00 SYN URGP=0

So the source IP address is 172.18.0.9 which is part of the docker_gwbridge network, this IP range is not accepted in my iptables rules.

My question is, should I add a rule to accept all the traffic from the docker_gwbridge subnet 172.18.0.0/16? Of course this subnet might change on each host.

Should I add rules to allow all private IP addresses? Or should I allow all traffic incoming from the docker_gwbridge interface?

-A INPUT -i docker_gwbridge -j ACCEPT

Which solution is better from a security perspective?

Pierre
  • 61
  • 4
  • Is that an inbound or outbound connection being dropped? I think we may need to see the forwarding and output rules. A full dump of the iptables after docker has configured them may also be useful since docker configures iptables for containers. – BMitch Aug 01 '19 at 21:03
  • @BMitch this is an inbound connection coming from a container to the host that it's running on, I don't have access to the host anymore so I can't provide a full dump of iptables, I will add a dump if I reproduce it, actually I solved this by accepting all requests coming from `docker_gwbridge` but I wanted to know if this is the way to go or there are other better solutions. – Pierre Aug 02 '19 at 13:50

1 Answers1

0

The container is an isolated environment. If you aren't running some services like DNS and NTP on the host itself, there aren't reasons to allow containers access to it. Allow only forwarding traffic to grant access to external networks.

Define a list of services on the host, to which containers are allowed the access. And use the input interface match (-i docker_gwbridge) and the multiport target (-m multiport --dports <srv1>,<srv2>,<srv3>) to grant the access to these services on the host.

Anton Danilov
  • 5,082
  • 2
  • 13
  • 23