Re: PostgreSQL port accessible even though it should be blocked by firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 10/29/2018 08:18 PM, Alexander Dalloz wrote:
Am 29.10.2018 um 20:03 schrieb Frank Thommen:
PostgreSQL is running in a docker container:

$ docker ps
CONTAINER ID        IMAGE                         COMMAND CREATED             STATUS              PORTS                    NAMES 6f11fc41d2f0        postgres                  "docker-entrypoint..." 4 days ago          Up 4 days           0.0.0.0:5432->5432/tcp   postgres
$


The various docker interfaces and virtual bridges are not assigned to any specific zone.


Why is port 5432/tcp open?

You will see it if you check the netfilter rules with:

iptables -L -n -v --line -t filter
iptables -L -n -v --line -t nat

In fact these rules forward port 5432 to docker:

$ iptables -L -n -v --line -t filter  | grep 5432
1 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:5432
$ iptables -L -n -v --line -t nat  | grep 5432
10 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:5432 2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432 to:172.17.0.2:5432
$

I am still puzzled that it is possible to circumvent firewalld so easily. Basically it means, that firewalld is not to be trusted as soon as containers with port forwarding are running on a system.

frank


frank

Alexander
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux