Context Navigation

Changes between Version 3 and Version 4 of SystemAdministration/Security

Timestamp:: 05/18/16 14:31:35 (8 years ago)
Author:: Sander Maijers
Comment:: Add warnings/solutions for Docker Engine daemon networking security issues

-                      v3
+                      v4
  * Always make sure that the virtualized app drops its privileges as much as possible.
+##### Firewalling #####
+. [https://github.com/docker/docker/issues/22054 Docker Engine daemon modifies iptables to bypass firewall rules for mapped ports by default!]
+. [https://github.com/docker/docker/issues/14041 Docker Engine daemon enabled kernel IP forwarding without adding any restricting rules on what inbound IP packets are being forwarded!]
+Possible solution to second issue, using script:
+{{{#!sh
+EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " )
+EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' )
+iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP
+}}}
 #### Drupal ####
 [http://www.drupal.org/security]