'Docker private IPs are leaking on external network
Docker Version 19.03.12 on Ubuntu 18.04.5 LTS (and also seen on previous version)
We have the problem that
network packets are send to the external network with dockers internal IPs (e.g. 172.19.0.3)
and our company firewall is not happy with this :-(
14:53:39.328794 IP 192.168.15.103.8080 > 192.168.30.137.59261: Flags [P.], seq 1:75, ack 56, win 501, length 74: HTTP: HTTP/1.1 408 Request Time-out
14:53:39.328841 IP 192.168.15.103.8080 > 192.168.30.137.59261: Flags [P.], seq 75:77, ack 56, win 501, length 2: HTTP
14:53:39.328878 IP 192.168.15.103.8080 > 192.168.30.137.59261: Flags [F.], seq 77, ack 56, win 501, length 0
14:53:39.328915 IP 192.168.15.103.8080 > 192.168.30.137.59261: Flags [R.], seq 78, ack 56, win 501, length 0
14:53:39.348180 IP 192.168.30.137.59261 > 192.168.15.103.8080: Flags [.], ack 77, win 1026, length 0
14:53:39.348267 IP 192.168.30.137.59261 > 192.168.15.103.8080: Flags [.], ack 78, win 1026, length 0
14:53:39.348316 IP 172.19.0.3.8080 > 192.168.30.137.59261: Flags [R], seq 3707268877, win 0, length 0 <<<<<<<<<
14:53:39.348333 IP 192.168.15.103.8080 > 192.168.30.137.59261: Flags [R], seq 3707268878, win 0, length 0
coming from our proxyserver_default network:
# docker network inspect proxyserver_default
[
{
"Name": "proxyserver_default",
"Id": "59e5a86bb11b3af60e7345fad3105dfdaca86435a628c3f5d54a953c0d404493",
"Created": "2020-08-31T15:14:07.688924924Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"2154be1d1fc547466ced01ebdb817893688539ce41f4c51191dd7f83d4628c1e": {
"Name": "proxyserver_clamavd_1",
"EndpointID": "f2185be227934bf65784a114354b9a77b1c8ee7c80739855eff990e85cd6fa40",
"MacAddress": "02:42:ac:13:00:02",
"IPv4Address": "172.19.0.2/16",
"IPv6Address": ""
},
"4b564439c5bcc46234b61553b66f6131306c870071792321b308189d24f0876d": {
"Name": "proxyserver_dnscache_1",
"EndpointID": "071ac91b019ec23255b2364fc5ae2c42355bd3c423ad55b93b322f43d85f0bd2",
"MacAddress": "02:42:ac:13:00:04",
"IPv4Address": "172.19.0.4/16",
"IPv6Address": ""
},
"4e165658fd5d2ca4f8f0c402d0025b390fadda454255aafc8b5af9ec1e057a4a": {
"Name": "proxyserver_e2guardian_1",
"EndpointID": "e48934b9ccca641af7d44760eac76abf9582faff9886c70c83e64a5cf543009b",
"MacAddress": "02:42:ac:13:00:03",
"IPv4Address": "172.19.0.3/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {
"com.docker.compose.network": "default",
"com.docker.compose.project": "proxyserver",
"com.docker.compose.version": "1.26.2"
}
}
]
Anybody seen this too?
How could we prevent this ?
Solution 1:[1]
Drop invalid packets in the docker forward chain
Example with firewalld
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 50 -m conntrack --ctstate INVALID -j DROP
firewall-cmd --reload
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | xbb |