On 10/29/2018 08:18 PM, Alexander Dalloz wrote:
Am 29.10.2018 um 20:03 schrieb Frank Thommen:
PostgreSQL is running in a docker container:
$ docker ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS NAMES
6f11fc41d2f0 postgres "docker-entrypoint..."
4 days ago Up 4 days 0.0.0.0:5432->5432/tcp postgres
$
The various docker interfaces and virtual bridges are not assigned to
any specific zone.
Why is port 5432/tcp open?
You will see it if you check the netfilter rules with:
iptables -L -n -v --line -t filter
iptables -L -n -v --line -t nat
In fact these rules forward port 5432 to docker:
$ iptables -L -n -v --line -t filter | grep 5432
1 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0
172.17.0.2 tcp dpt:5432
$ iptables -L -n -v --line -t nat | grep 5432
10 0 0 MASQUERADE tcp -- * * 172.17.0.2
172.17.0.2 tcp dpt:5432
2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5432 to:172.17.0.2:5432
$
I am still puzzled that it is possible to circumvent firewalld so
easily. Basically it means, that firewalld is not to be trusted as soon
as containers with port forwarding are running on a system.
frank
frank
Alexander
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
