Docker containers bypass OpenWrt firewall

saket424 · March 12, 2022, 4:01pm

I am facing the same issue. I am noticing that docker bridge bypasses openwrt firewall rules
What are other people doing when they host docker containers on an x86 openwrt21.02 host when it comes to securing the firewall

there is a project https://github.com/chaifeng/ufw-docker that seeks to fix it for ufw. Is there any similar equivalent workaround for openwrt 21.02?

I looked here but did not understand what was being suggested

github.com/openwrt/packages

docker-ce: security issue, open ports from WAN

opened 07:03AM - 16 Jul 20 UTC

closed 07:42AM - 07 Jun 21 UTC

dimonb

Maintainer: G.M0N3Y.2503@gmail.com Environment: snapshot docker-ce_19.03.12-2_x…86_64 Description: If tunnel port from docker container to host (-P option), it will be accessible from WAN. By default access from WAN should be prohibited for docker containers I think Example: `docker run --rm -ti -p 65341:8800 krys/echo-server` From wan: ``` ~ » nmap -p65341 xxxx Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 09:57 MSK Nmap scan report for 172.17.0.79 Host is up (0.15s latency). PORT STATE SERVICE 65341/tcp open unknown ```

saket424 · March 12, 2022, 4:36pm

Here is an extract from docker-compose.yml

  influxdb:                                 
    container_name: influxdb                
    image: "influxdb:latest"                
    restart: unless-stopped         
    ports:                          
      - "8086:8086"                 
      - "8083:8083"                 
      - "2003:2003"         
    env_file:               
      - ./services/influxdb/influxdb.env
    volumes:                            
      - ./volumes/influxdb/data:/var/lib/influxdb
      - ./backups/influxdb/db:/var/lib/influxdb/backup

The firewall is letting 8086 traffic through even though it should be dropping all wan packets. 192.168.155.171 happens to be the wan interface address and 192.168.2.1 happens to be the lan interface address

nand@tufb:~$ telnet 192.168.155.171 8086
Trying 192.168.155.171...
Connected to 192.168.155.171.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

I am using the default openwrt firewall configuration where no wan port is supposed to be opened and all ports are supposed to be denied but docker seems to be bypassing it

What is the suggested work around to ensure port 8086 is only open on the lan and not on the wan?

Hudra · March 12, 2022, 7:17pm

You could prevent Docker from manipulating iptables by setting:

option iptables '0'

in /etc/config/dockerd

.. but this could break container networking. I guess you will have to try…

I was messing with openwrt and docker a few months ago and after that my conclusion is that I use docker on my router only with the option --net=host (so it punches no holes in my firewall) and with the option iptables disabled and only for some specific applications like packet sniffing with ntopng.

Something like this:

docker run -it -p 3000:3000 --net=host ntop/ntopng:latest -i br-lan

For all the other docker stuff (like nextcloud, nginx, jellyfin, unifi controller…) I set up a little home server. Makes it a lot easier.

saket424 · March 12, 2022, 7:38pm

@Hudra
Ideally I want to expose some docker containers that represent specific services on the wan but I want other internal services locked down to the lan unless explicitly permitted via firewall rules.

I think you are suggesting to not run most docker containers on the main router switch and to delegate it to a different piece of hardware. I of course want to be able to do it all on a single main device.

I am looking forward to seeing how others are using/coping the docker containers on openwrt x86_64 in 21.02 in a secure manner

grrr2 · March 12, 2022, 8:02pm

this does not look like default configuration, you basically opened your wan totally.
input/output/forwarding/masquerading columns means that a interface(s) in particular zone can ingress/egress to the router, and forward to other zone, and if masquerading is needed. wan accept input is not what you want, you should only allow output + masquerading .

also, by default docker is listening on all interfaces. someone raised the same problem recently, search for the topic there may be a resolution.

saket424 · March 13, 2022, 12:17am

@grrr2
Thanks for your respoonse
Even after I fixed the input/output/forwarding/masquerading columns for wan per your recommendation, I still was able to reach the service via the wan because docker-compose listens by default on 0.0.0.0 and it bypasses the firewall by manipulating iptables directly

I spent hours googling and finally found this article https://earthly.dev/blog/youre-using-docker-compose-wrong/

So I tried this modified docker-compose.yml

  influxdb:
    container_name: influxdb
    image: "influxdb:latest"
    restart: unless-stopped
    ports:
      - "192.168.2.1:8086:8086"
      - "192.168.2.1:8083:8083"
      - "192.168.2.1:2003:2003"
    env_file:
      - ./services/influxdb/influxdb.env
    volumes:
      - ./volumes/influxdb/data:/var/lib/influxdb
      - ./backups/influxdb/db:/var/lib/influxdb/backup

This has the intended effect of exposing the influxdb service only on the lan and not on the wan

anand@tufb:~$ telnet 192.168.155.171 8086
Trying 192.168.155.171...
telnet: Unable to connect to remote host: Connection refused
anand@tufb:~$ telnet 192.168.2.1 8086
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
^C^]
telnet> quit
Connection closed.

system · March 23, 2022, 12:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.