How to prevent remote access in iptables
I have iptables set up with docker-compose but my whitelisting of only the ip addresses I want doesn't seem to be working as the server is still getting remote access attempts:
Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL: password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL: Role "postgres" does not exist.
How can I fix my iptables to be setup correctly? What have I done wrong here?
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
EDIT:
Here is my docker-compose config:
postgres:
image: "postgres:12.1"
env_file:
- '.env'
ports:
- '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables
restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
volumes:
- postgres:/var/lib/postgresql/data
- /opt/ghost_postgres:/var/lib/postgres
networks:
- esnet
redis:
image: redis:5.0.6-alpine
command: redis-server --requirepass "${REDIS_PASS}"
restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
ports:
- '6379:6379'
volumes:
- redis:/var/lib/redis/data
networks:
- esnet
prosebit:
build:
context: "."
args:
- "FLASK_ENV=${FLASK_ENV:-production}"
- "NODE_ENV=${NODE_ENV:-production}"
depends_on:
- "postgres"
- "redis"
env_file:
- ".env"
ports:
- "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
volumes:
- "${DOCKER_WEB_VOLUME:-./public:/app/public}"
networks:
- esnet
web:
depends_on:
- prosebit
restart: always
build:
context: ../nginx #added /deploy for development, remove for production
dockerfile: Dockerfile
volumes:
...
ports:
- 80:80
- 443:443
networks:
- "esnet"
celery:
build:
context: "."
args:
- "FLASK_ENV=${FLASK_ENV:-production}"
- "NODE_ENV=${NODE_ENV:-production}"
command: celery worker -B -l info -A
env_file:
- '.env'
depends_on:
- "postgres"
- "redis"
env_file:
- ".env"
restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
volumes:
- "${DOCKER_WEB_VOLUME:-./public:/app/public}"
networks:
- "esnet"
Solution 1:
Docker opens the port in the firewall itself, because your docker-compose.yml explicitly requests the port 5432 to be exposed to the world.
ports:
- '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables
It's not clear why this is here at all, in any form. Remember that services in the same network can always access each other and do not need ports specified. Only specify ports to allow access from outside.
PS: You've also exposed your redis container to the world, which is probably also not what you want.