On 5/26/20 1:51 AM, Felder, Christian wrote:
When using podman run -p … DNAT rules in the forward chain are
automatically created for allowing traffic to the container/pod.
I think you might be mixing up two different things. When I run "podman
run -p" I see a new rule in the PREROUTING chain of the "nat" table. I
don't see any rules in the FORWARD chain of the "filter" table.
There are no DNAT rules in the FORWARD chain.
Unfortunately this bypasses the input chain which is usually used to
explicitly allowing external traffic for a specific service/port.
Using podman run -p … the port is world-wide accessible though.
That isn't true on my system, as far as I can tell.
One solution is to just bind to the loopback interface using -p
127.0.0.1:XXX:XXX which will ensure that the port is just available on the
host system but on the other hand this does not allow using ssh tunnelling for authorised
Why wouldn't it allow ssh tunneling?