Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't access docker's ports except using loopback address #1506

Open
zero-custom opened this issue Sep 15, 2023 · 6 comments
Open

can't access docker's ports except using loopback address #1506

zero-custom opened this issue Sep 15, 2023 · 6 comments
Labels
bug

Comments

@zero-custom
Copy link

Describe the bug

Using Photon OS 5.0 (OVA with virtual hardware v15)
the host can't access docker's ports.

Reproduction steps

example
docker run -p 1234:1234 alpine nc -l 1234

test 1: the host scan port on it's network address
nmap 192.168.1.xxx -p 1234
result port 1234 was filtered

test2: the host scan port on loopback address
nmap 127.0.0.1 -p 1234
result port 1234 was open

Expected behavior

expect ports opened on all network interfaces.

Additional context

No response
@dcasota
Copy link
Contributor

dcasota commented Sep 15, 2023
edited
Loading

Hi, here a few suggestions.

  1. similar to docker container in host mode is not reachable #1320
    see docker os restrictions https://docs.docker.com/network/host/
    The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.
  2. provide more details about configured host and docker networking subsystem (networking mode: nat, bridge, host,...)
    2.A for host networking mode: bind host to 0.0.0.0 instead of localhost or 127.0.0.1, e.g. with --port 0.0.0.0:1234:1234
  3. check settings host firewall, photon os firewall (iptables, nftables)
  4. try behavior in Ph5.0 GA, with latest docker (24.0.5) on Ph5. No package of latest docker 24.0.6 yet.

btw, beware of risks and side effects in Ph5.0 GA ova (photon-hw15-5.0-dde71ec57.x86_64.ova): change default root password and ssh permitrootlogin

@zero-custom
Copy link
Author

Using Photon OS 5.0 GA OVA system image provided in download page
The tests above is on a fresh system without any changes, network mode was bridge same as default

tried to use --port 0.0.0.0:1234:1234 or --port 192.168.1.xxx:1234:1234
both doesn't work

@dcasota
Copy link
Contributor

dcasota commented Sep 15, 2023

Hi @zero-custom,

Are you a pen tester, hacker, cyber security engineer or a developer, devops engineer for commercial products?

Accordingly to the open source licenses (-> OPEN_SOURCE_LICENSE_PHOTON_.TX), in this issue case for nmap, it is written If you wish to embed Nmap technology into proprietary software, we sell alternative licenses.

I'm asking the question because docker containers and defaults for its process capabilities can be considered as proprietary software as a sufficient environment description is missing.

In addition, the nmap authors have a paragraph against inappropriate usage: Nmap should never be installed with special privileges (e.g. suid root). That would open up a major security vulnerability as other users on the system (or attackers) could use it for privilege escalation. Think of it

I am a volunteer user here and I do not want to give a helping hand for breaking the Photon OS EULA at all.

@zero-custom
Copy link
Author

neither, i just use nmap as a port state indicator, because it's straight enough to show the result.
it can be replaced by any other programs which connects to port.

@ssahani
Copy link
Contributor

ssahani commented Sep 20, 2023

See #1277

@ghandye
Copy link

ghandye commented Jan 28, 2024
edited
Loading

It's iptables.

I just resolved this same issue with a Homebridge container (which works best out of the box when using docker host networking).

The problem was ultimately quite simple - Photon OS locks down host ports with an iptables whitelist out of the box, and by default it only permits port 22 (ssh).

To permit inbound connections to a container running on Photon and using docker host networking, you must add a rule to the iptables INPUT chain.

Add your rules to /etc/systemd/scripts/ip4save to persist the rule.

Example, after adding tcp port 8581 (default homebridge port)

Add once via command line to test:
iptables -A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT

Confirm change:

root@photon [ ~ ]# iptables -nvL INPUT
Chain INPUT (policy DROP 1208 packets, 390K bytes)
 pkts bytes target     prot opt in     out     source               destination
   38  4519 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  322 38779 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    52 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8581

To persist the change, add a rule near the bottom of ip4save in the INPUT chain for port 8581:

root@photon [ ~ ]# cat /etc/systemd/scripts/ip4save
# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Permit Homebridge traffic to host on port 8581
-A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

@ghandye ghandye mentioned this issue Jan 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ssahani @ghandye @dcasota @zero-custom