6

I've been wondering why docker installation does not enable by default port forwarding to containers.

To save you a click, what I mean is:

$ sysctl net.ipv4.conf.all.forwarding=1
$ sudo iptables -P FORWARD ACCEPT

I assume it is some sort of security risk, but I just wonder what the risk it is.

Basically I want to create some piece of code that enables this by default, but I want to know what is the bad that can happen.

I googled this and couldn't find anything.

Generally FORWARD ACCEPT seems to be considered too permissive (?)

If so, what can I change to make this more secure?

My network is rather simple, it is a bunch of pcs in a local lan (10.0.0.0/24) with an openvpn server and those pcs may deploy docker hosts (I'm doing this by hand, not using docker compose or swarm or anything because nodes change) that need to see each other. So no real outside access. Another detail is that I am not using network overlay which I could do without swarm, but the writer of the post warns it could be deprecated soon, so also wonder if I should just start using docker-swarm straight away.

EDIT: My question here is maybe more theoretical I guess than what it may seem at first. I want to know why they decided not to do this. I pretty much need/want full communication between docker instances, they need to be ssh'd into and open up a bunch of different ports to talk to each other (and this is the limitation of my networking knowledge, I don't know how this really works, I suppose they are all high ports, but are those also blocked by docker?). I am not sure docker-swarm would help me much here either. They aimed at micro-services I maybe need interactive sessions from time to time, but this is probably asking too much in a single question.

Maybe the simplest version of this question is: "if I put that code up there as a script to load each time my computer boots up, how can someone abuse it".

user27221
  • 334
  • 3
  • 16
  • I just read this https://thehackernews.com/2020/07/docker-linux-malware.html , but I guess it is a different attack – user27221 Jul 29 '20 at 16:17

1 Answers1

1

Each docker container runs on a local bridge network with IPs generally in the range of 172.1x.xx.xx. You can get the ip address running:

docker inspect <container name>  | jq -r ".[].NetworkSettings.Networks[].IPAddress"

You should either run your container exposing and publishing the specific container ports on the host running the containers.

Alternatively, you can use iptables to redirect traffic to a specific port from outside:

iptables -t nat -I PREROUTING -i <incoming interface> -p tcp -m tcp --dport <host listening port> --j DNAT --to-destination <container ip address>:<container port>

Change tcp for udp if the port is listening on a udp socket.

If you want to redirect all traffic you can still use the same approach, but may need to specify a secondary ip address on your host (e.g., 192.168.1.x) and redirect any traffic coming to that address to your container.

MPAK
  • 39
  • 2
  • 5
  • 1
    This is not really what I asked. I know I can forward ports, that's what I Docker suggests you'd do. I want to know what is the risk considering docker containers are ephemeral and can be pretty much destroyed without much happening. – user27221 Aug 01 '20 at 23:32
  • The bridging I solved by creating a single bridge and adding each new node to that bridge. A master keeps track of all the bridges created and adds rules for routing. Actually I think I created a bad version of swarm without load balancing – user27221 Aug 01 '20 at 23:36