Docker on TOS 6.1 - allow access to service running in a container from internet

msh · January 19, 2023, 9:58pm

I am curious what would be the best way to achieve the subj.

Let say I am running container like this

docker run --rm -d -p 8080:80 nginx:1.23.3-alpine-slim

I want to keep in place the solution preventing docker to by-pass firewall in /etc/cofig/dockerd so I don’t expose anything accidentally

config firewall 'firewall'
        option device 'docker0'
        list blocked_interfaces 'wan'
        option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections

After starting dockerd these firewall rules (among others) are added

-A FORWARD -j DOCKER-USER # first rule for FORWARD chain
...
-A DOCKER-USER -i eth2 -o docker0 -m conntrack ! --ctstate RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN

With this setup I haven’t found a way how to enable traffic from the internet to the container using configuration in /etc/config/firewall
Is this really impossible? Or did I miss something?

I have found a way how to achieve what I need by manually adding a rule into the firewall

iptables -I DOCKER-USER -i eth2 -o docker0 -d 172.17.0.2 -p tcp -m tcp --dport 80 -j RETURN

Would this be the right approach?

jjcale · May 13, 2023, 6:34pm

I am after the same thing, I want to run a simple web server inside a docker container and expose it to the internet. I want to make sure the web server is secure and fully isolated. In principal I only want to run a simple static web page. Any idea? Anyone?

jjcale · May 14, 2023, 4:51pm

@msh

opkg install docker
opkg install dockerd
reboot
docker run -dp 8080:80 -v “$(pwd):/usr/share/nginx/html” nginx:1.23.3-alpine-slim
added port forward rule: external TCP port to internal TCP port 8080: turris_LAN_IP_address

And it works.

How much is nginx isolated from the local network? Can nginx communicate on the local LAN? What is my security risk?

AreYouLoco · May 14, 2023, 4:55pm

If I were you I would make sure you have set the docker to store data on external storage in /etc/config/dockerd like that you will prevent accidental wear of flash on Omnia. So for example to keep images in /srv and making sure you actually have external storage

jjcale · May 14, 2023, 5:40pm

@AreYouLoco thanks for the hint. Does it make much difference if I only run a static web page? I am thinking what kind of writes do I get with nginx?

jjcale · May 14, 2023, 6:00pm

I see that: logs, locks and caches under /opt/docker/
Time to relocate to HDD…

jjcale · May 15, 2023, 8:42am

One more thing, if an attacker gets inside my docker, he will have access to the local LAN. I checked that from within the container. How do I ‘jail’ my container network, so that one can only communicate to the Internet? Any idea? Thanks a bunch!

hagrid · May 15, 2023, 9:42am

This is called a firewall and is used to allow or deny access to parts of the network.

jjcale · May 15, 2023, 9:57am

@hagrid of course I know next to nothing about the ISO/OSI model, firewalls, chains, iptables, ufw, NAT, ICMP, IP, TCP, UDP, routing, OSPF, CSMA/CD, Token Ring, Ethernet, port mapping, port knocking, proxies, reverse proxies, TTL, SSL/TLS, etc. etc.
My question was specific as to what exactly you propose to jail docker0 interface so that the docker container can only communicate with the WAN and not with the LAN. It’s not trivial. If you know better, let me know.

hagrid · May 15, 2023, 9:59am

As I do know nothing about your docker setup, my response will be generic.
Create a firewall rule that blocks access from your docker container to LAN network.