this post was submitted on 24 Jul 2024
43 points (100.0% liked)
Linux
48186 readers
1475 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You should not have to open such a permissive rule. Like you've seen, docker will set firewall rules as needed if you have services that actually need to listen on the public interface.
If you've run that permissive input command on the VPS it's most likely not a good idea.
What exactly are you trying to do? If you're trying to use curl from inside a docker container that is not the correct way to achieve that. In fact you should not need to do anything like that, outside connections should be allowed (OUTPUT), and incoming collections (INPUT) should be allowed only if they're related to an already ongoing connection (look up the ESTABLISHED flag).
Any extra flag you can offer that would narrow things down would also be welcome. When you write firewall rules you should be as restrictive as possible. For example since this is curl you're probably going to connect to ports 80 and 443 so you can add --dport to restrict the ports to the OUTPUT rule. And you should specify the interface (in this case docker0) in almost all cases.
I only had to run this in my home server, behind my router which already has firewall to prevent outside traffic, so at least I'm a bit at ease for that.
In the VPS everything worked without having to manually modify iptables.
For some reason I wasn't being able to make a curl call to the internet inside docker.
I thought it could be DNS, but that was working properly trying
nslookup tailscale.com
The call to the same url wasn't working at all. I don't remember the exact details of the errors since the iptables modification fixed it.
AFAIK the only difference between the two setups was ufw enabled in the VPS, but not at home.
So I installed UFW at home and removed the rule from iptables and everything keeps working right now.
I didn't save the output of iptables before uwf, but right now there are almost 100 rules for it.
Oh, that's a good point!
I'll later try to replicate the issue and test this, since I don't understand why
OUTPUT
should be solved by anINPUT
rule.