Open zero-custom opened 1 year ago
Hi, here a few suggestions.
--port 0.0.0.0:1234:1234
btw, beware of risks and side effects in Ph5.0 GA ova (photon-hw15-5.0-dde71ec57.x86_64.ova): change default root password and ssh permitrootlogin
Using Photon OS 5.0 GA OVA system image provided in download page The tests above is on a fresh system without any changes, network mode was bridge same as default
tried to use --port 0.0.0.0:1234:1234
or --port 192.168.1.xxx:1234:1234
both doesn't work
Hi @zero-custom,
Are you a pen tester, hacker, cyber security engineer or a developer, devops engineer for commercial products?
Accordingly to the open source licenses (-> OPEN_SOURCE_LICENSEPHOTON.TX), in this issue case for nmap, it is written If you wish to embed Nmap technology into proprietary software, we sell alternative licenses.
I'm asking the question because docker containers and defaults for its process capabilities can be considered as proprietary software as a sufficient environment description is missing.
In addition, the nmap authors have a paragraph against inappropriate usage: Nmap should never be installed with special privileges (e.g. suid root). That would open up a major security vulnerability as other users on the system (or attackers) could use it for privilege escalation. Think of it
I am a volunteer user here and I do not want to give a helping hand for breaking the Photon OS EULA at all.
neither, i just use nmap as a port state indicator, because it's straight enough to show the result. it can be replaced by any other programs which connects to port.
I just resolved this same issue with a Homebridge container (which works best out of the box when using docker host networking).
The problem was ultimately quite simple - Photon OS locks down host ports with an iptables whitelist out of the box, and by default it only permits port 22 (ssh).
To permit inbound connections to a container running on Photon and using docker host networking, you must add a rule to the iptables INPUT chain.
Add your rules to /etc/systemd/scripts/ip4save
to persist the rule.
Add once via command line to test:
iptables -A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT
Confirm change:
root@photon [ ~ ]# iptables -nvL INPUT
Chain INPUT (policy DROP 1208 packets, 390K bytes)
pkts bytes target prot opt in out source destination
38 4519 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
322 38779 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 52 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8581
To persist the change, add a rule near the bottom of ip4save
in the INPUT chain for port 8581:
root@photon [ ~ ]# cat /etc/systemd/scripts/ip4save
# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Permit Homebridge traffic to host on port 8581
-A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
Describe the bug
Using Photon OS 5.0 (OVA with virtual hardware v15) the host can't access docker's ports.
Reproduction steps
example
docker run -p 1234:1234 alpine nc -l 1234
test 1: the host scan port on it's network address
nmap 192.168.1.xxx -p 1234
result port 1234 was filteredtest2: the host scan port on loopback address
nmap 127.0.0.1 -p 1234
result port 1234 was openExpected behavior
expect ports opened on all network interfaces.
Additional context
No response