Permissive forwarding rule leads to unintentional ...

[tinco]

Eh, isn't the real story then that Linux will route random incoming traffic on any interface? Even if you haven't configured it as a router?

I know whoever was in charge of configuring Dockers iptables routes should have known this and messed up, but that is fucked up.

[jeroenhd]

I'm a bit confused; as far as I know Linux only forwards packets on interfaces where you've enabled routing, doesn't it?

If you set up:

    net.ipv4.ip_forward=0
    net.ipv4.conf.eth0.forwarding=0
    net.ipv4.conf.docker.forwarding=1 

I'm pretty sure this isn't an issue, right?

My guess is that the real real story is probably that every guide on the internet says to just set net.ipv4.ip_forward=1 and that nobody bothers to stop and read up on the sysctl parameters they're copy/pasting from the internet.

For this attack to succeed, the attacker also needs to be on the same network or have their upstream ISPs accept plain external traffic towards internal networks. Executing the PoC on Linux without being in the same subnet won't even be accepted (though raw sockets may still send out traffic towards the host that will probably get filtered somewhere along the way).

[forbiddenlake]

This doesn't work. Breaks traffic out (below) and in.

    # sysctl net.ipv4.ip_forward net.ipv4.conf.enp8s0.forwarding net.ipv4.conf.docker0.forwarding
    net.ipv4.ip_forward = 1
    net.ipv4.conf.enp8s0.forwarding = 1
    net.ipv4.conf.docker0.forwarding = 1
    # docker run --rm alpine/curl -sI --max-time 5 http://1.1.1.1 | head -n2
    HTTP/1.1 301 Moved Permanently
    Server: cloudflare
    # sysctl net.ipv4.conf.enp8s0.forwarding=0
    net.ipv4.conf.enp8s0.forwarding = 0
    # docker run --rm alpine/curl -I --max-time 5 http://1.1.1.1 | head -n2
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0
    curl: (28) Connection timed out after 5000 milliseconds

[qbasic_forever]

At some level docker has to do this because it creates an abstraction that your containers are their own little devices with their own IP address. For your host machine to talk to them and vice/versa it has to be able to route traffic to them. I don't think docker flips on routing globally for all interfaces though.

[lmm]

> Linux will route random incoming traffic on any interface? Even if you haven't configured it as a router?

"configuring Linux as a router" is exactly what "adding an iptables rule that routes" is. That's what it's for, that's how you do it.

[patrakov]

You have configured it as a router, by installing Docker.