How to restrict a container's port exposed by Docker from only a list of IPs? Only this list of IP would be able to access this port.
I tried that:
iptables -I DOCKER -p tcp --dport PORT_X -j REJECT --reject-with icmp-port-unreachable
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_1 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_2 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_3 --destination HOST_IP_1 -j ACCEPT
I had the same problem. I solved it with this rules :
iptables -I DOCKER-USER -i <your_interface_name> -j DROP
iptables -I DOCKER-USER -i <your_interface_name> -s <your_first_ip> -j ACCEPT
iptables -I DOCKER-USER -i <your_interface_name> -s <your_second_ip> -j ACCEPT
Care, DOCKER-USER is a chain which will not be deleted when service docker restart
You should be able to add your port flag, but i'm not an expert and it is not my needs.
Your policy is whitelist, it's better to create a user custom chain handle this alone.
For example, I have a redis container, I want it only serve for specific IPs:
$ docker run -d -p 6379:6379 redis:2.8
After started redis container, the iptables looks like this:
$ iptables -t filter -nL
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:6379
Create our custom chain:
$ iptables -N CUSTOM_REDIS
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.37 --destination 172.17.0.2 -j ACCEPT
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.38 --destination 172.17.0.2 -j ACCEPT
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 0.0.0.0/0 --destination 172.17.0.2 -j DROP
Replace the original rule with custom chain:
$ iptables -R DOCKER 1 -p tcp --source 0.0.0.0/0 --destination 172.17.0.2 --dport 6379 -j CUSTOM_REDIS
Now my redis can only access by ip: 172.31.101.37 and 172.31.101.38.
Note:
172.17.0.2 is the ip of redis container
From the docker guide here:
Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:
$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
In your case since you want to allow multiple IP addresses I think something like this should work:
iptables -I DOCKER -s EXTERNAL_IP_1 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -s EXTERNAL_IP_2 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -s EXTERNAL_IP_3 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X -j REJECT --reject-with icmp-port-unreachable
You may also want to prevent access from docker directly, using the specific IP you want to listen, like -p 1.2.3.4:6379:6379/tcp syntax, that way the container will listen only on that IP and interface.
If you use that IP as private IPs, you can avoid completely the iptables because you restricted access only from local/private network.
You can use ufw from inside docker container
sudo ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]][to ADDRESS [port PORT]]
Related
I am running the traffic from my docker container through sshuttle to a remote server, which is working great with this command:
sshuttle -l 0.0.0.0 -r user#server 0/0 -v
The problem is that I need incoming connections to be allowed to reach my local server via the remote server's ip address and a specific port. I've tried creating an additional ssh tunnel via
ssh -NR 0.0.0.0:43523:localhost:43523
This almost works, as the incoming connections show up in the sshuttle verbose logs, but the connection never establishes (connection timed out from the client side).
Here are the iptables rules created by sshuttle at runtime:
iptables -t nat -N sshuttle-12300
iptables -t nat -F sshuttle-12300
iptables -t nat -I OUTPUT 1 -j sshuttle-12300
iptables -t nat -I PREROUTING 1 -j sshuttle-12300
iptables -t nat -A sshuttle-12300 -j RETURN -m ttl --ttl 63
iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300
So my question is: What is causing the incoming connections to not work? And how can I fix it?
I have two network interface, eth0 is the internal network necessary for the connection of PCs with the softphone and eth1 to link to internet. I'm using iptables on CentOS 6.5 to direct all the outputs of the Freepbx (Asterisk) to eth1, but I don't have success.
The rule
iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 5060 -j MARK --set-mark 1
Take a ook at sip.conf. In the [general] section, there is a bindaddress or udpbindaddress. Set it to 0.0.0.0 to make sure asterisk listens on all interfaces. You can check it by:
netstat -lnap | grep 5060
udp 0 0 0.0.0.0:5060 0.0.0.0:* 30822/asterisk
Then restrict access to unnecessary interfaces using iptables, like (note the order):
iptables -A INPUT -i eth1 -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A OUTPUT -o eth1 -p udp --sport 5060 -j ACCEPT
iptables -A OUTPUT -p udp --sport 5060 -j DROP
If public ip on same server, you need use INPUT table and ACCEPT destination.
If it on other host, you have use DNAT.
nginx-proxy is a Docker container that acts as a reverse proxy to other containers. It uses the Docker API to detect other containers and automatically proxies traffic to them.
I have a simple nginx-proxy setup: (where subdomain.example.com is replaced with my domain)
docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
docker run -e VIRTUAL_HOST=subdomain.example.com kdelfour/cloud9-docker
It works with no problem when I have my firewall off. When I have my firewall on, I get a 504 Gateway Time-out error from nginx. This means that I'm able to see nginx on port 80, but my firewall rules seem to be restricting container-to-container and/or Docker API traffic.
I created a GitHub issue, but the creator of nginx-proxy said he had never run into this issue.
These are the "firewall off" rules: (these work)
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
These are my "firewall on" rules: (these don't work)
# Based on tutorial from http://www.thegeekstuff.com/scripts/iptables-rules / http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
# Delete existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow inbound/outbound SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound/outbound HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound/outbound HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Allow outbound NTP
iptables -A OUTPUT -p udp -o eth0 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 123 -j ACCEPT
# This bit is from https://blog.andyet.com/2014/09/11/docker-host-iptables-forwarding
# Docker Rules: Forward chain between docker0 and eth0.
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
ip6tables -A FORWARD -i docker0 -o eth0 -j ACCEPT
ip6tables -A FORWARD -i eth0 -o docker0 -j ACCEPT
iptables-save > /etc/network/iptables.rules
Why won't the proxy work when I have my firewall on?
Thanks to advice by Joel C (see the comments above), there was a problem on the FORWARD chain which I fixed like so:
iptables -A FORWARD -i docker0 -j ACCEPT
I have a router with DD-WRT and forwarding from the router seems to work with the following script:
#!/bin/sh
PROXY_IP=192.168.77.77
PROXY_PORT=3128
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
Now if I just run the default squid.conf file, I get the following page on my web broweser:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: /questions/ask
Invalid URL
As you can see, 'stackoverflow.com' is truncated from the URL: stackoverflow.com/questions/ask
Now if I change append transparent to the following line:
http_port 3128 -> http_port 3128 transparent
None of the pages show up in the web browser and I get the following error in '`/var/log/squid/cache.log':
NF getsockopt(SO_ORIGINAL_DST) failed on local=192.168.77.77:3128 remote=192.168.77.1:5268 FD 9 flags=33: (92) Protocol not available
Is there anyway for me to make squid work? No reference on google.com seems to help.
By default Squid will deny all access. You have to specify who is allowed.
Add this to your acl list
acl mycomputer src <yourip>
Then add this right before the deny all
http_access allow mycomputer
# And finally deny all other access to this proxy
http_access deny all
Before adding that to the squid.conf, I was also getting the same or similar error.
I am working on Holepunching using UDP and UDT. For the final testing I need to test the application on different NAT types (Symmetric,full cone,restricted cone, port restricted NATs).
Is there any method I can simulate these? What I expect here is some kind of virtual-Box setup. Can I use PC as a router so that I can configure according to my needs?
In general how do we test applications for different network conditions?
Just in case someone else is looking to do this, this website explains how to set up the different NAT environments using IPTables.
Update
It has been a few years since I did this, given that the link was placed behind a login, and the rewind was also placed behind a login, I went through my notes from back than and found the following. Please note these are untested.
Full Cone NAT;
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination "private IP"
Restricted Cone NAT;
iptables -t nat -A POSTROUTING -o eth1 -p udp -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -p udp -j DNAT --to-destination "private IP"
iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m state --state NEW -j DROP
Port Restricted Cone NAT;
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "public IP"
Symmetric NAT;
echo "1" >/proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
I think you already answered your own question, use VirtualBox (or VMware, Xen, etc..).
I've done this very thing successfully by setting up mini-lans of VM's. If you're looking for software to act as your router inside a VM, I'd start off at http://www.pfsense.org/ and see if that meets your needs. It's a FreeBSD distribution tailored for being an easy to install router/firewall with a nice web management UI and all of that.
If pfsense doesn't fit your needs, there are plenty of other linux/bsd distributions out there that are tailored for this kind of stuff and that you can install in a VM: http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions for a good list :) (I've heard good things about OpenWRT and ClearOS as well.)