Help with iptables - HA hosted on baremetal Debian 11 homebrew router -- exposed ports

YIKES!!

Docker is exposing local ports to my WAN interface.

Can anyone offer any tips (besides virtualization) . Running on an N5105 aliexpress wannabe pfsens box

~$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9120 to:10.10.0.1:443
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  all  --  172.30.32.0/23       0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  tcp  --  172.30.32.6          172.30.32.6          tcp dpt:80
MASQUERADE  tcp  --  172.30.33.1          172.30.33.1          tcp dpt:1627
MASQUERADE  tcp  --  172.30.33.3          172.30.33.3          tcp dpt:8884
MASQUERADE  tcp  --  172.30.33.3          172.30.33.3          tcp dpt:8883
MASQUERADE  tcp  --  172.30.33.3          172.30.33.3          tcp dpt:1884
MASQUERADE  tcp  --  172.30.33.3          172.30.33.3          tcp dpt:1883
MASQUERADE  tcp  --  172.30.33.4          172.30.33.4          tcp dpt:443
MASQUERADE  tcp  --  172.30.33.6          172.30.33.6          tcp dpt:8485
MASQUERADE  tcp  --  172.30.33.0          172.30.33.0          tcp dpt:443
MASQUERADE  tcp  --  172.30.33.1          172.30.33.1          tcp dpt:8485
MASQUERADE  tcp  --  172.30.33.1          172.30.33.1          tcp dpt:8099
MASQUERADE  tcp  --  172.30.33.5          172.30.33.5          tcp dpt:1627

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:4357 to:172.30.32.6:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.30.33.0:443
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8485 to:172.30.33.1:8485
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8099 to:172.30.33.1:8099
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8884 to:172.30.33.3:8884
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8883 to:172.30.33.3:8883
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1627 to:172.30.33.5:1627
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1884 to:172.30.33.3:1884
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1883 to:172.30.33.3:1883

Chain DOCKER-USER (0 references)
target     prot opt source               destination  
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            match-set crowdsec-blacklists src
ACCEPT     all  --  127.0.0.0/8          127.0.0.0/8         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:33434:33523 reject-with icmp-port-unreachable
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9443
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            172.30.32.1          tcp dpt:9120
ACCEPT     tcp  --  0.0.0.0/0            172.30.32.1          tcp dpt:8444
ACCEPT     tcp  --  0.0.0.0/0            10.10.0.1            tcp dpt:443
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.30.32.6          tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.0          tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.1          tcp dpt:8485
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.1          tcp dpt:8099
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.3          tcp dpt:8884
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.3          tcp dpt:8883
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.5          tcp dpt:1627
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.3          tcp dpt:1884
ACCEPT     tcp  --  0.0.0.0/0            172.30.33.3          tcp dpt:1883

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i enp5s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp5s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp5s0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i enp5s0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A INPUT -i enp5s0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o hassio -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o hassio -j DOCKER
-A FORWARD -i hassio ! -o hassio -j ACCEPT
-A FORWARD -i hassio -o hassio -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 172.30.32.1/32 -p tcp -m tcp --dport 9120 -j ACCEPT
-A FORWARD -d 172.30.32.1/32 -p tcp -m tcp --dport 8444 -j ACCEPT
-A FORWARD -d 10.10.0.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i enp5s0 -o enp2s0 -j ACCEPT
-A FORWARD -i hassio -o enp2s0 -j ACCEPT
-A FORWARD -i docker0 -o enp2s0 -j ACCEPT
-A FORWARD -j DROP
-A DOCKER -d 172.30.32.6/32 ! -i hassio -o hassio -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.30.33.0/32 ! -i hassio -o hassio -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.30.33.1/32 ! -i hassio -o hassio -p tcp -m tcp --dport 8485 -j ACCEPT
-A DOCKER -d 172.30.33.1/32 ! -i hassio -o hassio -p tcp -m tcp --dport 8099 -j ACCEPT
-A DOCKER -d 172.30.33.3/32 ! -i hassio -o hassio -p tcp -m tcp --dport 8884 -j ACCEPT
-A DOCKER -d 172.30.33.3/32 ! -i hassio -o hassio -p tcp -m tcp --dport 8883 -j ACCEPT
-A DOCKER -d 172.30.33.5/32 ! -i hassio -o hassio -p tcp -m tcp --dport 1627 -j ACCEPT
-A DOCKER -d 172.30.33.3/32 ! -i hassio -o hassio -p tcp -m tcp --dport 1884 -j ACCEPT
-A DOCKER -d 172.30.33.3/32 ! -i hassio -o hassio -p tcp -m tcp --dport 1883 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i hassio ! -o hassio -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o hassio -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i docker0 -o enp2s0 -j ACCEPT
-A DOCKER-USER -i hassio -o enp2s0 -j ACCEPT
-A DOCKER-USER -j RETURN
~$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-N DOCKER-USER
-A PREROUTING -i enp2s0 -p tcp -m tcp --dport 9120 -j DNAT --to-destination 10.10.0.1:443
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.30.32.0/23 ! -o hassio -j MASQUERADE
-A POSTROUTING -o enp2s0 -j MASQUERADE
-A POSTROUTING -s 172.30.32.6/32 -d 172.30.32.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.30.33.1/32 -d 172.30.33.1/32 -p tcp -m tcp --dport 1627 -j MASQUERADE
-A POSTROUTING -s 172.30.33.3/32 -d 172.30.33.3/32 -p tcp -m tcp --dport 8884 -j MASQUERADE
-A POSTROUTING -s 172.30.33.3/32 -d 172.30.33.3/32 -p tcp -m tcp --dport 8883 -j MASQUERADE
-A POSTROUTING -s 172.30.33.3/32 -d 172.30.33.3/32 -p tcp -m tcp --dport 1884 -j MASQUERADE
-A POSTROUTING -s 172.30.33.3/32 -d 172.30.33.3/32 -p tcp -m tcp --dport 1883 -j MASQUERADE
-A POSTROUTING -s 172.30.33.4/32 -d 172.30.33.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.30.33.6/32 -d 172.30.33.6/32 -p tcp -m tcp --dport 8485 -j MASQUERADE
-A POSTROUTING -s 172.30.33.0/32 -d 172.30.33.0/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.30.33.1/32 -d 172.30.33.1/32 -p tcp -m tcp --dport 8485 -j MASQUERADE
-A POSTROUTING -s 172.30.33.1/32 -d 172.30.33.1/32 -p tcp -m tcp --dport 8099 -j MASQUERADE
-A POSTROUTING -s 172.30.33.5/32 -d 172.30.33.5/32 -p tcp -m tcp --dport 1627 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i hassio -j RETURN
-A DOCKER ! -i hassio -p tcp -m tcp --dport 4357 -j DNAT --to-destination 172.30.32.6:80
-A DOCKER ! -i hassio -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.30.33.0:443
-A DOCKER ! -i hassio -p tcp -m tcp --dport 8485 -j DNAT --to-destination 172.30.33.1:8485
-A DOCKER ! -i hassio -p tcp -m tcp --dport 8099 -j DNAT --to-destination 172.30.33.1:8099
-A DOCKER ! -i hassio -p tcp -m tcp --dport 8884 -j DNAT --to-destination 172.30.33.3:8884
-A DOCKER ! -i hassio -p tcp -m tcp --dport 8883 -j DNAT --to-destination 172.30.33.3:8883
-A DOCKER ! -i hassio -p tcp -m tcp --dport 1627 -j DNAT --to-destination 172.30.33.5:1627
-A DOCKER ! -i hassio -p tcp -m tcp --dport 1884 -j DNAT --to-destination 172.30.33.3:1884
-A DOCKER ! -i hassio -p tcp -m tcp --dport 1883 -j DNAT --to-destination 172.30.33.3:1883

I am not sure that it is good to run a server on your router.

If you want to because you have a powerful machine that you want to run a router on and other software, I would suggest proxmox, and separate the functions into different VMs.

1 Like