Iptables with docker-user, release connections with the container itself

thiagofigueiredo · February 3, 2023, 11:15am

If the system that is inside the container tries to connect with MySQL from the container itself using the server ip (192.168.0.200) it does not connect.

The problem is in

iptables -P INPUT DROP

if I remove it, it works but it removes the security of the server

 My Host: 192.168.0.100
 Server with docker: 192.168.0.200

My rules:

 #!/bin/bash

 # DROPS
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

 # ESTABELECIDAS
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 # PING 
 iptables -t filter -A INPUT -p icmp -j ACCEPT

 # LOOPBACK
 iptables -A INPUT -i lo -j ACCEPT

 # SSH
 iptables -A INPUT -p tcp -s 192.168.0.100 --dport 22 -j ACCEPT       

 # DROP CONTAINER ALL CONNECTION TO MYSQL
 iptables -I DOCKER-USER -i eno1 -p tcp --dport 3306 -j DROP

 # ALLOW MYSQL TO USER IP
 iptables -I DOCKER-USER -p tcp -s 192.168.0.100 --dport 3306 -j ACCEPT

 # PORT 80 CONTAINER
 iptables -I DOCKER-USER -p tcp --dport 80 -j ACCEPT

rimelek · February 3, 2023, 10:39pm

Why would you use the server IP instead of “localhost” if both processes are inside the same container? If the processes are in two different containers, you can use the MySQL container’s name as hostname to connect to the database. MySQL shouldn’t even listen on a LAN IP and you should not forward ports from the LAN IP to the container unless it is a database server and you want to connect to the database from other hosts…

thiagofigueiredo · February 6, 2023, 10:32am

Yes, the correct thing would be to use localhost, but some users end up using the ip.

But there is another problem. I have another container with MongoDB with replication. MongoDB for some reason for replication to work it needs to connect to itself.

Ex
The Master connects with the slave and the slave connects with itself and because of this block the replication doesn’t work.

Thanks

rimelek · February 6, 2023, 7:34pm

No, the correct way would be using the service names as I mentioned in my previous comment.
That is not likely to be blocked, but that could happen too in case of an incorrectly configured firewall.

What do you mean by “some suers end up using the ip”? The point is not using a hostname but to use internal ip addresses instead of the ip of the host. The service name/container name points to an internal ip address in a Docker network.