This is how I run the rabbitMQ image:
docker run -d --restart always --hostname host-rabbit --name cg-rabbit -p 5029:5672 -p 5020:15672 -e RABBITMQ_DEFAULT_VHOST=sample_vhost -e RABBITMQ_DEFAULT_USER=sampleuser -e RABBITMQ_DEFAULT_PASS=samplepass rabbitmq:3-management
Now in netstat -nltp:
ubuntu#infra:~$ netstat -nltp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5020 :::* LISTEN -
tcp6 0 0 :::5029 :::* LISTEN -
I'm not sure why I see tcp6 when docker exposes ports to host and if it makes issues!
Now when I telnet from within the server I can see that port is open:
ubuntu#infra:~$ telnet MY-SERVER-IP-ADDRESS 5029
Trying MY-SERVER-IP-ADDRESS...
Connected to MY-SERVER-IP-ADDRESS.
Escape character is '^]'.
^]
telnet> Connection closed.
But in my machine when I try to telnet (or from another server):
$ telnet MY-SERVER-IP-ADDRESS 5020
Trying MY-SERVER-IP-ADDRESS...
^C
iptables -L reports:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5020
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5029
ACCEPT tcp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:amqp
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:15672
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
It is good to note that I have installed a redis server in server (non-docker) and I am able to telnet to it form outside.
EDIT-1:
sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:15672
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:amqp
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:15672 to:172.17.0.2:15672
DNAT tcp -- anywhere anywhere tcp dpt:amqp to:172.17.0.2:5672
EDIT-2:
Docker configuration:
ubuntu#infra:~$ sudo cat /var/snap/docker/796/config/daemon.json
{
"log-level": "error",
"storage-driver": "overlay2"
}
This is really odd. By flushing the NAT in iptables everything works as expected:
iptables -t nat -F
My nat before flushing:
ubuntu#infra:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:15672
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:amqp
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:15672 to:172.17.0.2:15672
DNAT tcp -- anywhere anywhere tcp dpt:amqp to:172.17.0.2:5672
And now after flushing everything is gone:
ubuntu#infra:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
NOTE: by restarting docker via sudo snap restart docker net rules are back again and I had to flush NATs again!
Related
The gist of the issue is that if I create and run a docker container (from any image, I tried many) the container does not have network access beyond the default bridge Docker creates; even when using IP addresses (not URLs/names).
I.e.
docker run --rm -it busybox ping 8.8.8.8 hangs/fails for not having accessing the network
docker run --rm -it busybox ping 172.17.0.1 also fails (note that 172.17.0.1 is docker0's IP on the host and also the gateway set by docker in the container)
if I create two containers I can ping either one from the other fine
N.B:
I have two Ubuntu hosts (same version) both running Docker 19.03.6. On one of them (dev machine) I don't have the issue (it works just fine), on the other one I do. Which means it is most likely not an OS and/or Docker version issue but some sort of misconfiguration.
It is not the DNS issue asked in most questions I could find. In fact, it is not a DNS issue at all. It presents itself when I use direct IP addresses as well as with URLs.
I use iptables on the host; these are the rules on the one where it does not work (they are different on the dev machine where networking works fine but I cannot set the here the same):
Chain INPUT (policy DROP)
target prot opt source destination
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:ntp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imap2 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imaps state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
I am not sure what else to add for clarification.
What should I do?
I am having some difficulties setting a default iptables script as it won't run. It shows the error: iptables: Index of deletion too big
I have tried re-ordering the rules, attempting to delete all first before adding, etc. but it doesn't seem to be helping. What am I doing wrong?
Here is the script:
#!/bin/bash
iptables -P FORWARD DROP
iptables -D FORWARD 1
iptables -P INPUT DROP
iptables -D INPUT 5
iptables -D INPUT 4
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -D INPUT 3
iptables -I INPUT -p icmp -j ACCEPT
the original IP tables looks like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
119 13723 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
A few days ago I have installed CSF on my Ubuntu host via SSH. Everything seemed to be working fine and I had the chance to play with it for a few hours. Figuring out how I close and open ports. Everything seemed to be working fine.
Today I tried to make a restriction for my 3306 mysql port and allow access only for a specific IP address. I did this by checking that it is removed from TCP_IN and TCP_OUT lines on csf.conf and inserting it on csf.allow.
This seamed not to be working as the port was appearing to be open when scanning it with nmap. After further debugging I figured out that any change that I was now making on the csf.conf and csf.allow files had no effect on the availability of the ports.
I've research further and found out that there might be some issues between the ufw firewall, iptables and csf so I stopped the ufw firewall and deleted all my iptables rules and setting them to the default values.
:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
:~$ sudo service ufw status
ufw stop/waiting
And now I just flushed, stopped and started the csf firewall:
csf -f, csf -x, csf -e
After the restart it seems like sudo iptables -L will output a huge list of rules with source as anywhere and destination as anywhere. I have no previous experience with this so I am not really sure if I am able to extract the right sensitive information but after reading about it I assumed this is not right for my situation.
On the other hand csf -L has a different output. With most source and destination ip's as 0.0.0.0/0. What I could extract from the csf -L output is that there is an INVALID Chain.
Chain INVALID (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
and
Chain ALLOWIN (1 references)
num pkts bytes target prot opt in out source destination
1 210 10680 ACCEPT all -- !lo * [mysship] 0.0.0.0/0
Chain ALLOWOUT (1 references)
num pkts bytes target prot opt in out source destination
1 295 41404 ACCEPT all -- * !lo 0.0.0.0/0 [mysship]
MYSSHIP is the ip from which I connect using SSH which I've put on the csf.allow and also the ssh port is found on csf.conf TCP_IN, TCP_OUT lists.
Emm, for me i changed the policy to Drop then i allowed whatever i wanted, take a look :
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can add the IP# you want with -s (for source) or -d (for destinaiton) !
I am not really sure what was causing the confusion but I flushed all my previous configs from both iptables and csf. I re-installed csf than wrote all the configs one by one, testing at every step using nmap. I've also modified the TESTING_INTERVAL to 15. I think that my firewall settings were getting cleared too fast while I was keeping TESTING = 1;
I have a dedicated server Kimsufi Ks-3 with stock kernel and KVM virtualization.
I have installed windows server on a kvm guest, and I'm trying to redirect a port from host machine to the rdp windows port (3389). For do than I have used iptables with this commands:
root#ns370482:~# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 192.168.100.208:3389
root#ns370482:~# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2222 -j DNAT --to-destination 192.168.100.208:3389
192.168.100.208 is the guest Windows Server.
When I try to connect trough host machine with remmina to te private ip it works, but when I try from the public IP of the server with publicip:2222, it doesn't work.
root#ns370482:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:192.168.100.208:3389
DNAT udp -- anywhere anywhere udp dpt:2222 to:192.168.100.208:3389
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere tcp dpt:3389
MASQUERADE udp -- anywhere anywhere udp dpt:3389
What I'm doing wrong?
I'm struggling to understand why I can't open port 61616 by adding IPTABLES rule. Here is the listing of all rules, obtained via IPTABLES -L command.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:61616
ACCEPT udp -- anywhere anywhere udp dpt:cslistener
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:61616
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
As much as I'm ignorant about IPTABLES, what confuses me is that http port is visible from the outside, yet port 61616 still isn't. For me, the rules look the same. Anyways, all help's appreciated.
Best
Maybe you try to open port for host in the network behind the CentOS host (CentOS host is firewall for network)?
If so, you must add rule for chain FORWARD of table filter, and you should
add rule for DNAT to some IP in network x.x.x.x
iptables -A FORWARD -p tcp --dport 61616 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 61616 -j DNAT --to-destinanion x.x.x.x