Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Star 31 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save guns/1dc1742dce690eb560a3a2d7581a9632 to your computer and use it in GitHub Desktop.
Save guns/1dc1742dce690eb560a3a2d7581a9632 to your computer and use it in GitHub Desktop.
From self[at] Mon Nov 8 16:59:48 2021
Date: Mon, 8 Nov 2021 16:59:48 -0600
From: Sung Pae <self[at]>
Subject: Permissive forwarding rule leads to unintentional exposure of
containers to external hosts
Message-ID: <YYmr4l1isfH9VQCn@SHANGRILA>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="QR1yLfEBO/zgxYVA"
Content-Disposition: inline
X-PGP-Key: fp="4BC7 2AA6 B1AE 2B5A C7F7 ADCF 9D1A A266 D2BC 9C2D"
X-TUID: Avm8Mn+0Qq5s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
The documentation for "docker run --publish" states:
> Note that ports which are not bound to the host (i.e., -p 80:80 instead of
> -p will be accessible from the outside. This also applies
> if you configured UFW to block this specific port, as Docker manages his own
> iptables rules.
The statement above is accurate, but terribly misleading, since traffic
to the container's published ports from external hosts will still be
forwarded due to an explicit forwarding rule added to the DOCKER chain:
# iptables -nvL DOCKER
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 tcp dpt:80
An attacker that sends traffic to *through* the docker
host will match the rule above and successfully connect to the
container, obviating any security benefit of binding the published port
on the host to
What's worse, users who bind their published ports to operate
under a false sense of security and may not bother taking further
precautions against unintentional exposure.
## Proof of Concept
Here is a simple proof of concept:
1. [VICTIM] Start a postgres container and publish its main port to on the host.
victim@ docker run -e POSTGRES_PASSWORD=password -p postgres
2. [ATTACKER] Route all packets destined for through the
victim's machine.
attacker@ ip route add via
3. [ATTACKER] Discover open ports on the victim's internal docker networks.
attacker@ nmap -p5432 -Pn --open
Starting Nmap 7.92 ( ) at 2021-11-05 15:00 CDT
Nmap scan report for
Host is up (0.00047s latency).
5432/tcp open postgresql
4. [ATTACKER] Connect to the victim's container.
attacker@ psql -h -U postgres
Password for user postgres:
## Scope of Exposure
Port publishing in docker and docker-compose is a popular way to expose
applications and databases to developers in a cross-platform development
Web searches for the pitfalls of "--publish", as well as discussions
with other developers, suggest that Docker users who are aware of the
security implications of port publishing also believe that specifying an
IP address to bind on the host will effectively constrain access to the
service they are attempting to share. This is a reasonable conclusion
that can be drawn from the documentation, but the reality is that simply
publishing a port exposes a container to external machines regardless of
the IP address bound on the host.
Github contains tens of thousands of projects that publish container
ports to "":
* And many more!
Here is a sampling of commit messages that specifically mention the
security rationale behind publishing to "":
> Forward the "db" service's port to the host's loopback interface, so
> that a developer could choose to use docker-compose only for a container
> to run the database while running all the Ruby processes on their host
> computer. "" was chosen over "5432:5432" so that the
> PostgreSQL would not be available to all other computers on the host
> computer's network (say, a coffee shop wifi).
> [SECURITY] Limit port export to localhost
> It's prevents leak private developed projects vie Eth & Wi-Fi interfaces.
> You now must use `localhost` host or use host mapped directly to
> Docker Security: Port mapping and default security options
> Changes:
> 1) Provide secuiry options in docker-compose file related to selinux and resticted privilages
> 2) Set HOST_IP as Environment Variable in Compose startup
> 2) Bind all ports to either or Host IP
## Mitigation
While the unintentional exposure of published container ports can be
mitigated by constraining access to containers in the DOCKER-USER chain,
my observation is that most Linux users do not know how to configure
their firewalls and have not added any rules to DOCKER-USER. The few
users that do know how to configure their firewalls are likely to be
unpleasantly surprised that their existing FORWARD rules have been
preceded by Docker's own forwarding setup.
In light of this, an effective mitigation should:
1. Restrict the source addresses and/or interfaces that are allowed to
communicate with the published container port.
For example, "docker run -p" creates the
following rule in the DOCKER chain:
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 tcp dpt:5432
It should, however, restrict the source ip address range to and the in-interface to the loopback interface:
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo docker0 tcp dpt:5432
The values of "" and "lo" can be retrieved from the
interface on which is defined. For instance, if a machine
has an IP address of on a /24 network on eth0 and the
user runs "docker run -p", we would expect to
see the following:
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 docker0 tcp dpt:5432
2. Default to "" when a bind address is not supplied to "--publish".
This is a breaking change, but it should have been the default from
the beginning.
## Conclusion
Docker port publishing is an *extremely* popular feature, and at
present, virtually all users that use containers with published ports
are exposed to attackers that have noticed the oversight outlined in
this email.
I have not noticed any discussion online of attackers using custom
routes to gain access to containers, but it is an obvious attack, and
perhaps unfortunately, I posted a comment about this vulnerability in a
related Github issue:
Thank you for your attention to this.
Sung Pae
Content-Type: application/pgp-signature; name="signature.asc"
Copy link

pier4r commented Jun 24, 2022


The trouble here is that even if you start with an empty FORWARD chain with the policy set to DROP (i.e. block all forwarding attempts in either direction), dockerd inserts its own rules into the FORWARD chain that explicitly allow external machines to access your containers. This behavior is dangerous because it defeats a previously secure firewall setup.

Ok, then I'll need to test this. I can see it can happen but if I am not mistaken the docker added rules don't come early enough, I'll have to check.

Copy link

peterwwillis commented Jun 24, 2022

The problem is that approximately dozens of users worldwide know that this is necessary when using --publish A default behavior that violates assumptions about binding to and undermines secure firewalls is an issue that requires fixing even if can be mitigated by the user.

I agree. I consider myself to be an advanced user and even I didn't think docker would expose services that I'd assume were bound to the lo interface, but are actually accessible remotely by default. And it's insidious because if you just portscan your machine you wouldn't see it either.

I might try to open a PR for their documentation page on iptables to clarify the behavior and a stopgap fix

Copy link

-A DOCKER-USER -o br-+    -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment DOCKER-inbound  -j RETURN
 -A DOCKER-USER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment DOCKER-inbound  -j RETURN
-A DOCKER-USER -i br-+                                               -m comment --comment DOCKER-outbound -j RETURN
-A DOCKER-USER -i docker0                                            -m comment --comment DOCKER-outbound -j RETURN
-A DOCKER-USER                                                                                            -j REJECT

Is that enough? Could an attacker on the local network mess up with conntrack (sending forged SYN, SYN+ACK, ACK)? Is it not necessary to add something like:

iptables -t raw -A PREROUTING -m rpfilter --invert -j DROP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment