Permissive forwarding rule leads to unintentional exposure of containers (2021)

What's worse, users who bind their published ports to 127.0.0.1 operate under a false sense of security and may not bother taking further precautions against unintentional exposure. VICTIM] Start a postgres container and publish its main port to 127.0.0.1 on the host. 168.0.200# psql -h 172.17.0.2 -U postgres Password for user postgres: ## Scope of Exposure Port publishing in docker and docker-compose is a popular way to expose applications and databases to developers in a cross-platform development environment. Web searches for the pitfalls of "-publish", as well as discussions with other developers, suggest that Docker users who are aware of the security implications of port publishing also believe that specifying an IP address to bind on the host will effectively constrain access to the service they are attempting to share. This is a reasonable conclusion that can be drawn from the documentation, but the reality is that simply publishing a port exposes a container to external machines regardless of the IP address bound on the host. Restrict the source addresses and/or interfaces that are allowed to communicate with the published container port. Conclusion Docker port publishing is an *extremely* popular feature, and at present, virtually all users that use containers with published ports are exposed to attackers that have noticed the oversight outlined in this email.