Potential security issue: iptables

[Clickbaitcake]

Nefarious docker containers open ports on the host which grant access to the web GUIs for the app itself alongside Jackett and Transmission. Thanks to a quirk in Docker networking these open ports bypass the host firewall (UFW in most cases) because Docker uses IP Tables.

This means when running Nefarious on a public facing VPS a user could leak their admin control panels to the whole internet even when a firewall rule is in place to block access. Private tracker credentials could be stolen easily from exposed Jackett port because the user might assume blocking access to port 9117 via the firewall is enough to protect themselves.

This could be fixed in either of two ways

1. Control Dockers access to IP tables by creating the file /etc/docker/daemon.json containing:

{
    "iptables": false
}

The downside to this approach in my testing is that it breaks the Docker containers ability to reach the internet. There must be a workaround.

2. Add a some default, changeable password to Jackett and Transmission.
   Transmission can be done by editing the transmission settings.json to contain the following additional values by default

{
    "download-dir": "/downloads/",
    "incomplete-dir": "/downloads/.incomplete",
    "incomplete-dir-enabled": "true",
    "rpc-whitelist": "*",
    "rpc-host-whitelist-enabled": "false",
    **"rpc-password": "PASSWORDHERE,
    "rpc-username": "admin",
    "rpc-authentication-required": "true"
}**

A password can be added to Jackett by modifying .config/Jackett/ServerConfig.json but I don't have these values to hand.

[Clickbaitcake]

I just realised we can manually set a Jackett password in the GUI so this issue might be a waste of time. Perhaps setting a password as default would be good practice though?

[lardbit]

Interesting, I was unaware of the incompatibility with UFW and docker. If you come up with a solution regarding iptables let me know. In the meantime, yes I think adding transmission & jackett passwords would be more sane defaults. It's easy enough to do with Transmission like you mentioned but I'll have to research jackett's config to know how to pre-populate it, and if it's possible (since it's also generating a unique API key).

[disaac]

@Clickbaitcake @lardbit

Was going through the issues and stumbled on this old one. I think it would be safe to close out this issue and other system configuration issues by adding notes to a new doc like FAQ.md or something. I can work on a PR for this and other issues when I get some time, and include information/options for issues that seem more sysadmin related.

@lardbit I could create a label “documentation” and add it to issues that seem like they fit this sort of category, if that makes sense to you.

@Clickbaitcake on a side note if you're still dealing with this (I know this is very old) there are ways to make UFW rules apply to docker as well if you didn't want to turn off iptables in docker all together.

[lardbit]

Was going through the issues and stumbled on this old one. I think it would be safe to close out this issue and other system configuration issues by adding notes to a new doc like FAQ.md or something. I can work on a PR for this and other issues when I get some time, and include information/options for issues that seem more sysadmin related.

@lardbit I could create a label “documentation” and add it to issues that seem like they fit this sort of category, if that makes sense to you.

That would be great. Good idea.