-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker bridge
network leaks internal IP addresses (masquerade not working)
#1126
Comments
I can confirm that. We've found out this is happening after our server was blocked by Hetzner for sending packets with invalid source IP. |
We have the same issue most likely, running the container in a LXC. |
In my case problem appear on Ubuntu 20.04 (on 18.04 no problems) and only with one output interface: tun (VPN). tcpdump problematic output: On other computer tcpdump output (working scenario): |
Same here from traffic coming from a VPN tunnel inside docker and exiting on the local LAN using Ubuntu LTS 18.04 and latest docker. |
Same, just noticed bridged IP addresses in my firewall this morning. |
Same here. This is a huge issue and is able to be remotely exploited as a DoS in some cases. We had a very short incoming ddos attack causing the machine to send out these packets which ended up locking our machine for a couple of hours. A remotely triggerable DoS like this should really be fixed. |
Sadly, this issue exists for over 7 months now and I saw similar reports from other people which were created even years ago. No response from any "official" source yet. That's kinda disappointing. |
We are also having the same issue running on multiple different types of hosts. |
I can confirm it's happening with |
Confirmed. bridge network leaks with container's inner IPs outside. |
Untested, but a iptables rule that a friend of mine gave that should fix this: |
this rule just drops packets with problems, but not fix origin of them. |
I'm seeing this happening with Docker running on Ubuntu 20.04 LTS as well... In my case, it's the Ubiquiti "UNMS" / "UISP" controller system (which uses a bunch of docker containers). It has several
I am seeing mostly traffic from 172.18.251.5, source port 443, destination port random, different IPs across my internal network (point to point wireless gear that UNMS/UISP is managing).
|
Can confirm that bridged IP addresses show up in the log of my firewall... Details of the host running the docker containers:
|
This is a legacy project, if you have a look at the readme. Odd, that they keep this legacy project open. The bug should be reported to the moby project? |
@karniemi Well, I reported that issue nearly 2 days ago. The notice in the readme is new (12 days ago). |
I re-created the issue in the new repository, but judging from 4000 open issues, they seem to have just as nice community management as in this repo. So maybe in 10 years we will get an official answer 🙃 |
@flobernd ... you meant 2 years, not 2 days :-). And yes, I did notice, but I wanted to point out why there's propably no progress. And further, I'm seeing the same problem, that's why I'm concerned about it. |
|
It's "funny" that it's still not fixed after 3 years. |
This problem is still painful... |
Hi all,
our rule that drop this kind of traffic has 300 hit per second |
Expected behavior
Docker containers using only the
bridge
network should not send any packets with internal IP addresses to the outside.Actual behavior
Docker containers using the
bridge
network sometimes send packets from the internal (172.17.0.X
) IP to the network interface without masquerading them.Steps to reproduce the behavior
Run a docker container of your choice (in my case
portainer/portainer-ce
) using the defaultbridge
network. Inspect outgoing traffic usingtcpdump
(e.g. on the router device).Related:
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)
In my example the docker container is running on a Debian VM which is running on a VMware ESXi host.
First noticed the leaked IP addresses in the "client overview" of my networking hardware (Ubiquity UniFi). This list shows the currently assigned IP address for each connected client. For all VMs running a docker container with
bridge
network this IP from time to time is changed to172.17.0.X
for some seconds until it switches back to the correct value.The text was updated successfully, but these errors were encountered: