Why containers ports which are not published are accessible from an external system in Red Hat Enterprise Linux ?

Solution Verified - Updated -

Issue

  • Why containers ports which are not published are accessible from an external system in Red Hat Enterprise Linux and how to prevent it ?
  • How to prevent external systems from accessing container ports that are not published in Red Hat Enterprise Linux ?. To demonstrate the problem, take two systems from the same subnet

1. On machine 1, run a container that listens on port 8080

    podman run -d --name test registry.internal.redhat.com/httpd

2. Get the IP of the container

    podman inspect --format='{{.NetworkSettings.IPAddress}}' test (in this example, container IP 10.88.0.2)

3. On machine 2, Add routing rule: ip route add 10.88.0.2 via <ip-of-machine1>
4. You can now access port 8080 through the local container ip

    # curl  -so /dev/null  -w '%{http_code}' http://10.88.0.2:8080 
    200

Environment

  • Red Hat Enterprise Linux
  • Container host and external client on the same subnet
  • podman

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content