kaysond
commented
2 years ago Did you try ALLOW_HOST_TRAFFIC? :)
Closed ksurl closed 2 years ago
kaysond
commented
2 years ago Did you try ALLOW_HOST_TRAFFIC? :)
ksurl
commented
2 years ago oops, missed that on the readme.
kaysond
commented
2 years ago Be warned, though, that enabling that will also allow access to any port-mappings. Practically speaking, for most deployments this just means that containers can initiate communication with the reverse proxy.
ksurl
commented
2 years ago the link in the environment variables section that points to Technical Details no longer exists after the readme cleanup
kaysond
commented
2 years ago I'll update that. Info is here now: https://github.com/kaysond/trafficjam/blob/master/ARCHITECTURE.md
kaysond
commented
2 years ago Relevant section: Thus all traffic on the relevant subnet hits the DROP on Rule 4 except traffic initiated by the whitelisted containers (usually the reverse proxy).
This alone is not sufficient to prevent inter-container communication, however. If a container has a port mapped to the host, other containers are still able to access it via the host ip address and the mapped port. This is because Rule 4 above only drops traffic within the subnet, not traffic to the outside, to allow containers to have internet access.
This is blocked by another chain and set of rules. First, TrafficJam adds another chain in the filter table: TRAFFICJAM_INPUT. Then it adds a jump rule to the INPUT chain: iptables -t filter -I input -j TRAFFICJAM_INPUT. The INPUT chain is used here because the incoming packet is destined for an IP address assigned to the host and does not need to be forwarded.
ksurl
commented
2 years ago something is weird with nftables and ALLOW_HOST_TRAFFIC. when I comment it out in env section it works fine. when it is set to true, I get log errors and it loops trying to set rules
[2021-12-06 20:40:41] Added rule: --table filter --insert TRAFFICJAM --source 172.18.0.0/16 --destination 172.18.0.0/16 --jump DROP,
[2021-12-06 20:40:41] Added rule: --table filter --insert TRAFFICJAM --source 172.18.0.14 --destination 172.18.0.0/16 --jump RETURN,
[2021-12-06 20:40:41] Added rule: --table filter --insert TRAFFICJAM --source 172.18.0.8 --destination 172.18.0.0/16 --jump RETURN,
[2021-12-06 20:40:41] Added rule: --table filter --insert TRAFFICJAM --source 172.18.0.0/16 --destination 172.18.0.0/16 --match conntrack --ctstate RELATED,ESTABLISHED --jump RETURN,
# Warning: iptables-legacy tables present, use iptables-legacy to see them,
[2021-12-06 20:40:41] Removed TRAFFICJAM rule: DROP all -- 172.18.0.0/16 172.18.0.0/16 /* trafficjam-14BE2062 2021-12-06 20:40:05 */,
# Warning: iptables-legacy tables present, use iptables-legacy to see them,
[2021-12-06 20:40:41] Removed TRAFFICJAM rule: RETURN all -- 172.18.0.14 172.18.0.0/16 /* trafficjam-14BE2062 2021-12-06 20:40:05 */,
# Warning: iptables-legacy tables present, use iptables-legacy to see them,
[2021-12-06 20:40:41] Removed TRAFFICJAM rule: RETURN all -- 172.18.0.8 172.18.0.0/16 /* trafficjam-14BE2062 2021-12-06 20:40:05 */,
# Warning: iptables-legacy tables present, use iptables-legacy to see them,
[2021-12-06 20:40:41] Removed TRAFFICJAM rule: RETURN all -- 172.18.0.0/16 172.18.0.0/16 ctstate RELATED,ESTABLISHED /* trafficjam-14BE2062 2021-12-06 20:40:05 */,
[2021-12-06 20:40:41] ERROR: Could not get rules from chain 'TRAFFICJAM_INPUT' for removal: # Warning: iptables-legacy tables present, use iptables-legacy to see them,
iptables v1.8.7 (nf_tables): chain `TRAFFICJAM_INPUT' in table `filter' is incompatible, use 'nft' tool.doesn't seem to cleanup TRAFFICJAM chains and rules either after shutdown (with and without ALLOW_HOST_TRAFFIC)
kaysond
commented
2 years ago doesn't seem to cleanup TRAFFICJAM chains and rules either after shutdown (with and without ALLOW_HOST_TRAFFIC)
That's by design. You don't want your firewall rules to disappear because of a crash.
Why is it complaining that you have legacy tables present? That seems odd...
I wonder if you had some legacy rules on TRAFFICJAM_INPUT from before and it can't remove it so it's complaining?
ksurl
commented
2 years ago so it seems to actually be working. I can reach host portmap from the containers that are not whitelisted. but the log output just loops removing and re-adding the rules, which makes sense from what I see in the main entrypoint script while loop.
I see one bug. it tries to remove TRAFFICJAM_INPUT regardless of the setting of ALLOW_HOST_TRAFFIC. if it is on, it never created/added the table so that's why it gives the error, it failed to remove it.
the only entries in iptables-legacy are empty chains for INPUT, FORWARD, and OUTPUT
you brought that a crash should not wipe out your rules. isn't the cleanup dangerous then to run in a loop if you are concerned about momentary lapses in the firewall?
kaysond
commented
2 years ago I see one bug. it tries to remove TRAFFICJAM_INPUT regardless of the setting of ALLOW_HOST_TRAFFIC. if it is on, it never created/added the table so that's why it gives the error, it failed to remove it.
Good catch! It does have to get called at least once, though, in case you have old rules and enable the setting.
the only entries in iptables-legacy are empty chains for INPUT, FORWARD, and OUTPUT
Got it. The functions should still be catching all the stderr but looks like I missed one
you brought that a crash should not wipe out your rules. isn't the cleanup dangerous then to run in a loop if you are concerned about momentary lapses in the firewall?
It only removes old rules once it finishes adding new rules. So in a crash, worst case you end up with all the old rules and none/some of the new rules. Not ideal, but there's nothing you can really do if a firewall crashes in the middle of creating rules
kaysond
commented
2 years ago Give the latest nightly a shot and lmk if that fixes it. I need to add some more testing still
ksurl
commented
2 years ago no more errors, but it is looping every 5 seconds per the default polling interval. what is the reason it needs to check constantly? in case new containers are added with the whitelist filter?
kaysond
commented
2 years ago no more errors, but it is looping every 5 seconds per the default polling interval. what is the reason it needs to check constantly? in case new containers are added with the whitelist filter?
Correct. Or even if you restart the whitelisted containers and the network address changes, the rules need to be updated.
It looks like once trafficjam is running, it doesn't allow access to anything local outside of docker on the same host. Can support be added for allowing access to an ip or subnet of the host?