[CentOS] PostgreSQL port accessible even though it should be blocked by firewall
Frank Thommen
list.centos at drosera.ch
Tue Oct 30 15:31:08 UTC 2018
On 10/29/2018 08:18 PM, Alexander Dalloz wrote:
> Am 29.10.2018 um 20:03 schrieb Frank Thommen:
>> PostgreSQL is running in a docker container:
>>
>> $ docker ps
>> CONTAINER ID IMAGE COMMAND
>> CREATED STATUS PORTS NAMES
>> 6f11fc41d2f0 postgres "docker-entrypoint..."
>> 4 days ago Up 4 days 0.0.0.0:5432->5432/tcp postgres
>> $
>>
>>
>> The various docker interfaces and virtual bridges are not assigned to
>> any specific zone.
>>
>>
>> Why is port 5432/tcp open?
>
> You will see it if you check the netfilter rules with:
>
> iptables -L -n -v --line -t filter
> iptables -L -n -v --line -t nat
In fact these rules forward port 5432 to docker:
$ iptables -L -n -v --line -t filter | grep 5432
1 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0
172.17.0.2 tcp dpt:5432
$ iptables -L -n -v --line -t nat | grep 5432
10 0 0 MASQUERADE tcp -- * * 172.17.0.2
172.17.0.2 tcp dpt:5432
2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5432 to:172.17.0.2:5432
$
I am still puzzled that it is possible to circumvent firewalld so
easily. Basically it means, that firewalld is not to be trusted as soon
as containers with port forwarding are running on a system.
frank
>
>> frank
>
> Alexander
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list