0

For a bit of context, I read about the dns-rebinding vulnerbility, which allows attackers to potentially compromise services binding to local IP addresses (e.g. docker or 127.0.0.1) through a malicious or compromised website. Long story short, this attack requires an attacker to access the local web service with a hostname that he controls, which resolves to the local IP address. The best way (to my knowledge) to prevent this is to enforce using a correct hostname (that cannot be registered by an attacker) to access the services. I have a couple of local services running in docker. More info about the vulnerability here.

Therefore, I would like these local services to be only reachable through a reverse proxy using the correct hostname and HTTPS.

My current setup is to use a traefik container as the reverse proxy. This works, however, I have not found a way to isolate the container from my host system, i.e. I can still reach the containers outside of the reverse proxy by specifying the internal IP address. I have tried connecting them to an internal docker network, but this also breaks connectivity to the internet for the containers, which breaks functionality. I am running on a Linux (Ubuntu) client system, which I also use for browsing the web, hence the potential vulnerability.

Is there a way to isolate a docker network from the host system without breaking internet connectivity for the containers?

Improve this question
3
  • 1
    Please edit your question and provide your docker command / docker-compose.yaml. In general, using a reverse proxy alone does not solve the underlying problem - you need a complete solution with firewall rules, according zones, ideally IDS/IPS or both your network and hosts. Commented Jun 8 at 9:43
  • Also expiration why you think this is a problem? E.g. what problem is cutting the host machine off solving, if you are going to use host name based proxying anyway? Commented Jun 9 at 7:10
  • I edited the question with a bit more explanation about the vulnerability and why I would like this setup. I do not think docker commands or docker compose files will really help, since I'm looking for a conceptual solution. Commented Jun 9 at 15:50

1 Answer 1

Reset to default
1

There is a way to isolate your Docker services from the host system while still allowing them outbound internet access, using a combination of custom Docker networking, firewall rules, and reverse proxy isolation.

  1. Use a Custom Docker Network for Internal Services

Create a user-defined bridge network, which gives you full control over service

docker network create \ --driver bridge \ --subnet 172.25.0.0/16 \ internal_net
  • Then, connect Traefik and your internal services to this network.
  • Do not publish service ports to the host using -p or ports in your Compose.

Use Docker's DNS-based service discovery for internal communication (http://myservice:port).

  1. Traefik as the Only Entry Point

Configure Traefik to be the only container with published ports:

ports: - "443:443" - "80:80"

All other containers should only be on internal_net, with no ports exposed. Traefik will proxy HTTPS requests based on proper Host headers and TLS certs.

  1. Ensure DNS Rebinding Protection

Validate Host headers in Traefik routes (Host(your-local.dev))

  1. Allow Outbound Access While Blocking Inbound

To keep outbound access working while blocking inbound connections from the host, containers can make outbound connections via NAT and by not publishing any ports, and not using host networking, you prevent the host from connecting in.

  1. Advanced Isolation (Optional)

You can restrict access to Docker subnets from the host by adding iptables rules:

sudo iptables -I DOCKER-USER -s 127.0.0.1 -d 172.25.0.0/16 -j DROP

even if a malicious browser script tries to reach http://172.25.x.x, the connection is denied.

Improve this answer
2
  • The IPTables rule is what makes this solution work the way I want it to. Without that, the host system can still connect to the containers. Thanks! Commented Jun 19 at 9:32
  • Did you test that iptables command? I think the DOCKER-USER chain is used in the FORWARD chain, while for local host I think you need the OUTPUT chain? Commented Jun 20 at 4:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.