A
A
Arsen Abakarov2016-09-03 17:07:05
Docker
Arsen Abakarov, 2016-09-03 17:07:05

Docker, open container port with host internal ip?

There is postgresql in the container on the VDS, a port is forwarded to the host machine from the container, it glows like a Christmas tree, and is available at an external address, yesterday I raised openVPN there, I want to go to the DBMS through the tunnel, but I don’t know how to bind the DBMS port to the tunnel interface
I tried to go from the other side, I just wanted to prohibit connections from the outside, I created a rule in iptables in the INPUT
1 0 0 DROP tcp chain -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
but the port is still open, just the same there are docker rules:
1 10 544 ACCEPT tcp -- !br-10aff2577af0 br-10aff2577af0 0.0.0.0/0 172.18.0.2 tcp dpt:5432
When you try to telnet to an external ip on port 5432, packets follow this rule.
What's the best way to sort this out?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
T
Tyranron, 2016-09-03
@Tyranron

If you don't have it specified for the container, network=hostthen the traffic goes through the FORWARD chain .
Try to cover up there. The official dock
is also useful to understand "what's going on?". As far as I understand, according to what you described, the interface from the ACCEPT rule is just the docker network interface, and IP is the IP of your container on this network. If I'm not mistaken, this rule was torn out by you not from the table (where packet filtering should be done), but from the table (where it is indicated which packet should go where), and it just routes packets (even from localhost) to port 5432 of your container. But without seeing the full picture, it is likely that I am mistaken in my assumption.

P
Pavel, 2016-09-03
@pvlg

As an option, do not forward the port to the host machine, but connect via the container's ip in the Dockerfile by pre-writing EXPOSE 5432
I'm not familiar with openVPN, but I think somehow you can only bind the container's ip.
Or the option that I use myself, just forward the ssh tunnel, only specify the container ip as the local ip host
ssh -f -N -R 5432:conteiner_ip:5432 [email protected]

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question