Try   HackMD
tags: Docker MySQL

MySQL Port public access closure without overriding docker iptable forwarding rules

This page is the reminder notes for me if someone setup the docker container of MySQL not correctly, you can't block it in multiple offical way in some reason, like if it is not done and follow by you, and it accident roar for it, there is bunch of sh*t already turns on and running, you don't have time to check it one by one but you need to block it or else the mySQL port will be publiclly accessable problem in the network restricted envoriment, then this guide will save your life.

Offical way to do so before the docker is up

Normal I would recommend you to do it in offically way by creating a network rules first before eveything, making rules is very important as if there are bunch of containers, you won't want to amended their network setting one by one if they are sharing some same network rules.

By doing so, first create a network allow to access the internet but expose the ports internally:

docker network create --subnet=172.19.0.0/16 internet

Adding this IPTable rules would be recommend also:

sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN

Then create a rule which will block the internet access:

docker network create --internal --subnet 10.1.1.0/24 no-internet

After that, you can block the container internet access or allow it by rules, for example, to block one of the container's internet accessing:

docker network connect no-internet container-name

You may want to check out docker network for details as it is crazily useful and important when you setup the docker.

For more docker network related information:
https://docs.docker.com/network/

Quick way to block it

But sometimes there is one of them having problem, and you have tons of reason need to solve it immediantly, then you can do the below step some blocking the specific port.

Step 1: Find the contiainer ID of mysql

sudo docker ps

Step 2: Stop the docker container

sudo docker stop <container ID>

Matching the container ID by first 12 char with the folder

sudo ls /var/lib/docker/containers/

sudo vi /var/lib/docker/containers/{container_id}/hostconfig.json

.......
"PortBindings": {
    "3306/tcp": [
            {
            "HostIp": "",
            "HostPort": "3306"
            }
        ]
    },
.......

Amened the Host IP as

"HostIp": "127.0.0.1"

Then save the file and quit

Step 4: Restart Docker to clear Docker engine cache

sudo systemctl restart docker

Step 5: Restart the mySQL container

sudo docker start {container_id}
Last changed by 
mkaa
Just some notes, and my thought, and random useless stuff Check me: https://thomasbad.github.io
0
95

Read more

Simple Guide to install CrowdSec

Simple Guide to install CrowdSec on Debian Server

May 7, 2024
Easy guide to basic setting for harden the security of Debian based Linux

Assume you have install all of the required software in the server, and ready to hand it out for the devlopers, it would be recommended to install and perform the following step to harden you system.

May 7, 2024
Toggle to Start/Quit GlobalProtect in macOS

Toggle to Start/Quit GlobalProtect in macOS

Oct 26, 2023
Simple versioned TimeMachine-like backup using rsync

Over many years, I have dealt with scripts that do backup versioning, i.e., maintain multiple backups. Due to their flexibility, they have been complex to understand and configure. Here is a simple rsync-based tool with a different focus: The experienced systems administrator who wants to keep his system’s complexity down.

Aug 11, 2023
Read more from mkaa
Published on HackMD