search

vmware / photon

Minimal Linux container host
https://vmware.github.io/photon
Other
3.04k stars 697 forks source link

can't access docker's ports except using loopback address #1506

Open zero-custom opened 1 year ago

zero-custom commented 1 year ago

Describe the bug

Using Photon OS 5.0 (OVA with virtual hardware v15) the host can't access docker's ports.

Reproduction steps

example docker run -p 1234:1234 alpine nc -l 1234

test 1: the host scan port on it's network address nmap 192.168.1.xxx -p 1234 result port 1234 was filtered

test2: the host scan port on loopback address nmap 127.0.0.1 -p 1234 result port 1234 was open

Expected behavior

expect ports opened on all network interfaces.

Additional context

No response

dcasota commented 1 year ago

Hi, here a few suggestions.

  1. similar to #1320 see docker os restrictions https://docs.docker.com/network/host/ The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.
  2. provide more details about configured host and docker networking subsystem (networking mode: nat, bridge, host,...) 2.A for host networking mode: bind host to 0.0.0.0 instead of localhost or 127.0.0.1, e.g. with --port 0.0.0.0:1234:1234
  3. check settings host firewall, photon os firewall (iptables, nftables)
  4. try behavior in Ph5.0 GA, with latest docker (24.0.5) on Ph5. No package of latest docker 24.0.6 yet.

btw, beware of risks and side effects in Ph5.0 GA ova (photon-hw15-5.0-dde71ec57.x86_64.ova): change default root password and ssh permitrootlogin

zero-custom commented 1 year ago

Using Photon OS 5.0 GA OVA system image provided in download page The tests above is on a fresh system without any changes, network mode was bridge same as default

tried to use --port 0.0.0.0:1234:1234 or --port 192.168.1.xxx:1234:1234 both doesn't work

dcasota commented 1 year ago

Hi @zero-custom,

Are you a pen tester, hacker, cyber security engineer or a developer, devops engineer for commercial products?

Accordingly to the open source licenses (-> OPEN_SOURCE_LICENSEPHOTON.TX), in this issue case for nmap, it is written If you wish to embed Nmap technology into proprietary software, we sell alternative licenses.

I'm asking the question because docker containers and defaults for its process capabilities can be considered as proprietary software as a sufficient environment description is missing.

In addition, the nmap authors have a paragraph against inappropriate usage: Nmap should never be installed with special privileges (e.g. suid root). That would open up a major security vulnerability as other users on the system (or attackers) could use it for privilege escalation. Think of it

I am a volunteer user here and I do not want to give a helping hand for breaking the Photon OS EULA at all.

zero-custom commented 1 year ago

neither, i just use nmap as a port state indicator, because it's straight enough to show the result. it can be replaced by any other programs which connects to port.

ssahani commented 1 year ago

See https://github.com/vmware/photon/issues/1277

ghandye commented 8 months ago

It's iptables.

I just resolved this same issue with a Homebridge container (which works best out of the box when using docker host networking).

The problem was ultimately quite simple - Photon OS locks down host ports with an iptables whitelist out of the box, and by default it only permits port 22 (ssh).

To permit inbound connections to a container running on Photon and using docker host networking, you must add a rule to the iptables INPUT chain.

Add your rules to /etc/systemd/scripts/ip4save to persist the rule.

Example, after adding tcp port 8581 (default homebridge port)

Add once via command line to test: iptables -A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT

Confirm change:

root@photon [ ~ ]# iptables -nvL INPUT
Chain INPUT (policy DROP 1208 packets, 390K bytes)
 pkts bytes target     prot opt in     out     source               destination
   38  4519 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  322 38779 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    52 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8581

To persist the change, add a rule near the bottom of ip4save in the INPUT chain for port 8581:

root@photon [ ~ ]# cat /etc/systemd/scripts/ip4save
# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Permit Homebridge traffic to host on port 8581
-A INPUT -p tcp -m tcp --dport 8581 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT