Cannot block port 21 and 5222 via iptables (due to docker?)

Question

I'm trying to get just port 80, 443 and SSH open on my Ubuntu VM. I'm running Docker which I think is what is causing port 21 and 5222 to be visible.

telnet HOST 21
Trying HOST...
Connected to HOST.
Escape character is '^]'.

sudo iptables --list --line-numbers -v

Chain INPUT (policy DROP 23 packets, 1878 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     2013  350K ACCEPT     all  --  lo     any     anywhere             anywhere            
2     1063  614K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
3        0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
4        1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
5       28  1644 ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https ctstate NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 43 packets, 3082 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     2013  350K ACCEPT     all  --  any    lo      anywhere             anywhere            
2      816  236K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate ESTABLISHED
3        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:ssh ctstate ESTABLISHED
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             multiport dports http,https ctstate ESTABLISHED

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  any    any     anywhere             anywhere

sudo iptables-save

# Generated by iptables-save v1.6.1 on Sun Mar  3 05:57:34 2019
*nat
:PREROUTING ACCEPT [286:14463]
:INPUT ACCEPT [29:1704]
:OUTPUT ACCEPT [273:16843]
:POSTROUTING ACCEPT [273:16843]
:DOCKER - [0:0]
COMMIT
# Completed on Sun Mar  3 05:57:34 2019
# Generated by iptables-save v1.6.1 on Sun Mar  3 05:57:34 2019
*filter
:INPUT DROP [23:1878]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [43:3082]
:DOCKER-USER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j DOCKER-USER
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Mar  3 05:57:34 2019
# Generated by iptables-save v1.6.1 on Sun Mar  3 05:57:34 2019
*mangle
:PREROUTING ACCEPT [3829:1086443]
:INPUT ACCEPT [3617:1077407]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3380:702245]
:POSTROUTING ACCEPT [3380:702245]
COMMIT
# Completed on Sun Mar  3 05:57:34 2019

I've disabled docker service on startup and disabled it modifying iptables (but it still inserts DOCKER-USER).

Why can I still telnet to port 21 and 5222?

If you are testing from the host itself? Often the local hostname will be associated with the loopback address and your test "telnet hostname portnumber" will be allowed by the first entry in your firewall `-A INPUT -i lo -j ACCEPT` — HBruijn, Mar 03 '19 at 07:32
Please show the relevant docker-compose.yml files or docker command lines. — Michael Hampton, Mar 06 '19 at 15:34
Are there services listening on those ports on the host machine — Soulimane Mammar, Mar 08 '19 at 00:51

Soulimane Mammar · Answer 1 · 2019-03-08T21:57:11.293

As stated by docker's web site:

If you need to add rules which load before Docker’s rules, add them to the DOCKER-USER chain. These rules are loaded before any rules Docker creates automatically.

By default, all external source IPs are allowed to connect to the Docker daemon.

So those rules you wrote must be added to the DOCKER-USER chain and not INPUT as INPUT will filter traffic going to the host and not to the docker dameon

setenforce 1 · Answer 2 · 2019-03-08T10:03:40.373

0

According to your iptables rules, there is no way you can establish a session on port 21 but from your localhost.

About your FORWARD rules:

you just have one, which is jumping to DOCKER-USER.
DOCKER-USER is doing nothing, then returning to FORWARD.
FORWARD default policy is DROP.

You could start to see if some process is listening on the 21 port:

ss -antp | grep :21

Then, you could try to monitor the packet going through the rules :

watch iptables -L -n -v

And then, try again and see if one of the rule packet count is incrementing if you are telneting again. According to your ruleset, you should the DROP default INPUT policy increasing :

Chain INPUT (policy DROP 23 packets, 1878 bytes)

If another rule is matching, could you tell us ?

If neither is, some stupid questions :

Are you sure you are hitting the good server ?
Can you resolve the DNS from your host with dig or nslookup and see if it is the same as ip a on your server ?

edited Mar 08 '19 at 10:03

answered Mar 08 '19 at 09:56

setenforce 1

928
5
7

`ss -antp | grep :21` returns nothing `ss -antp | grep :5222` returns nothing. Watching iptables I think only the drop count in `Chain INPUT (policy DROP 95404 packets, 7589K bytes)` was incremented when I telneted and telnet said connection established. However, after about 5 repeats and connections I can no longer telnet getting stuck on `Trying HOST...` then timing out with `telnet: Unable to connect to remote host: Connection timed out` so it seems the rule has just started working?... How is this possible? Yes `dig` from both the remote server and my local host return the same IP address. – twiz911 Mar 09 '19 at 01:11
If the 2 ports aren't answering anymore, it will be hard to diagnose now. Although if you have the issue again: try to focus on who is anwsering instead of firewall rules. Does it answer if from the server your are doing `telnet localhost`? When you have an answer from the server on your computer, you should have `TRYING CONNECTED TO `. Is this IP the same again ? It really looks like you have a nat deviation on the way. – setenforce 1 Mar 11 '19 at 10:33
When I telnet from the box itself to itself on port 21, `telnet localhost 21 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused`. When I telnet from two different remote boxes and OSs, I get a connection (again) on port 21. However, when I tried on a mac to the IP address, it resolved it to `sl-reverse.com` which is an IBM Softlayer box. So it's IBM's infrastructure accepting the connection? – twiz911 Mar 12 '19 at 12:25

Cannot block port 21 and 5222 via iptables (due to docker?)

2 Answers2