4

Permissive forwarding rule leads to unintentional exposure of containers to ext...

 1 year ago
source link: https://gist.github.com/guns/1dc1742dce690eb560a3a2d7581a9632
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Permissive forwarding rule leads to unintentional exposure of containers to external hosts · GitHub

Instantly share code, notes, and snippets.

If you add the following iptables rules to your system's iptables rules at start time, forwarded new connections from external interfaces to listening services will be dropped, but outbound connections from containers will work:

iptables -I DOCKER-USER -i eth+ -m conntrack --ctstate NEW -j DROP
iptables -I DOCKER-USER -i wlan+ -m conntrack --ctstate NEW -j DROP

See: https://docs.docker.com/network/iptables/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK