Sender | Message | Time |
---|---|---|
25 Apr 2023 | ||
deco | so all the firewalls are actually disabled.. I don't think iptables plays a rule here | 16:32:52 |
deco | [root@facebook-logstash:/var/containers/syslog-ng]# systemctl status firewalld.service ○ firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) | 16:32:53 |
deco | I don't have anything filtering in the container itself | 16:33:41 |
deco | either | 16:33:43 |
deco | [root@facebook-logstash:/var/containers/syslog-ng]# [root@facebook-logstash:/var/containers/syslog-ng]# podman exec -it containers_syslog-ng_1 bash root@4240d758fa79:/# root@4240d758fa79:/# root@4240d758fa79:/# ipc ipcmk ipcrm ipcs root@4240d758fa79:/# ipc ipcmk ipcrm ipcs root@4240d758fa79:/# ipc | 16:33:43 |
deco | would you recommend removing this container from the docker compose and run as standalone | 16:34:08 |
deco | ? | 16:34:09 |
bazsi77 | no. | 16:34:14 |
bazsi77 | on the host, what does "iptables -Lvnx" display? | 16:34:24 |
bazsi77 | sorry, it's iptables -L -vnx | 16:34:52 |
bazsi77 | iptables can be populated outside of firewalld as well. | 16:35:08 |
bazsi77 | or, you don't have access to the host? | 16:36:03 |
deco | i do | 16:44:17 |
deco | oh | 16:44:34 |
deco | [root@facebook-logstash:/var/containers/syslog-ng]# iptables -L -vnx Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 17251 1298716 NETAVARK_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 /* netavark firewall plugin rules */ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain NETAVARK_FORWARD (1 references) pkts bytes target prot opt in out source destination 6124 380057 ACCEPT all -- * * 0.0.0.0/0 10.89.1.0/24 ctstate RELATED,ESTABLISHED 6239 473718 ACCEPT all -- * * 10.89.1.0/24 0.0.0.0/0 [root@facebook-logstash:/var/containers/syslog-ng]# | 16:44:35 |
bazsi77 | iptables seem to require root access even for listing the ruleset, but I am sure it's not emptty | 16:44:39 |
deco | you are right.. this is what I have | 16:44:55 |
deco | let me check how do I stop iptables | 16:45:05 |
bazsi77 | ok, but this should not be a limit. there's nothing preventing input on port 514 in this ruleset. | 16:45:22 |
deco | btw, the syslog packets are coming as v6 packets.. | 16:45:24 |
bazsi77 | ah, ip6tables then. | 16:45:34 |
deco | [root@facebook-logstash:/var/containers/syslog-ng]# ip6tables -L -vnx Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 9005 1862568 NETAVARK_FORWARD all * * ::/0 ::/0 /* netavark firewall plugin rules */ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain NETAVARK_FORWARD (1 references) pkts bytes target prot opt in out source destination 3219 1049161 ACCEPT all * * ::/0 2001:10:8:70::/64 ctstate RELATED,ESTABLISHED 3730 385992 ACCEPT all * * 2001:10:8:70::/64 ::/0 [root@facebook-logstash:/var/containers/syslog-ng]# | 16:46:01 |
bazsi77 | so, your INPUT is empty, but FORWARD is not. | 16:46:33 |
bazsi77 | It might happen that podman based containers will actually use the forwarding path. The container is in a separate network namespace, so it needs to receive packets somehow. | 16:47:10 |
deco | hmmm. | 16:47:27 |
bazsi77 | If I look at your NETAVARK_FORWARD chain, it seems to allow outgoing connections only. | 16:47:34 |
bazsi77 | no | 16:47:38 |
bazsi77 | stupid me. there's no DENY rule. | 16:47:49 |
deco | right | 16:47:53 |
deco | you are not stupid 🙂 | 16:47:59 |