Thank you. I am not currently using docker compose, just using a basic script to start, stop, and update. So long as I end up w/ isolation I think I will be OK.
This install will be used to give SSH and RDP into a malware lab, so the serving host is the one I want to protect and the containers on said host. Once I get the docker part squared away the next step is to apply an IPtables FW on the host so it logs anything inbound from the lab. Appreciate the article! On Thu, Feb 29, 2024 at 9:28 AM Aaron Meyer <[email protected]> wrote: > On Wednesday, February 28, 2024 12:14 CST, Don Murdoch GSE BTHb < > [email protected]> wrote: > > > Hi. > > I have gotten Guac setup on a PC w/ VMware workstation, using Ver 1.5.3 > and also on a server at work. Just to get the feel of all of the parts. > > Now moving on to how I’d like to productionalize this using vmware / > proxmox I am pretty sure I have a “network” and “network routing issue” – I > am sure my problem is getting guacd to “talk outside its hosting docker > container management engine”. > > For our intended production use, I haven’t gotten things right. My thought > process is to use a docker network so that the MySQL server can be > completely isolated on the host, idea being I don’t want a port exposed, > just want guacamole / guacd to be able to talk to it. To that end, I have > guacd on 192.168.10.3, mysql on 192.168.10.2, guacamole on 192.168.10.4. > (the 192.168.10 is different from actual, the host IP is the same). I have > used the cmd line parameter “-ip 192.168.10.X”, and then used the ENV > varibs on the guacamole start up so guacamole (web) can see the other two. > > The host itself is on 10.120.33.X, and I can get to 10.120.33.X:8080 – so > I have reachability to the guacamole web UI, can login, etc. > > When I define a target that is on 10.120.33.X – like the SSH port for the > guac container host, or a RDP target for Windows on 10.120.33.X, I get the > “reconnect” message, and the Logs option tells me that the target does not > respond, connection time out. As I am reading errors, it certainly looks > like a routing issue, the guacd container doesn’t know how to get outside > of Docker. > > So the question is: If the host is on 10.120.33.X and it has a default > gateway to other segments, how do I isolate to the extent possible guacd > and mysql, while still allowing guacd to talk out (and what is the > corresponding command line parameter?) > > -- > Don M -> www.blueteamhandbook.com Author. > > > > Don, I'm running the guac stack under a docker-compose configuration using > docker networks to isolate the services. I assume that's what you're trying > to affect, but I'm confused with the different IP allocations you list as > in my configuration docker handles addressing for the containers. > > Anyway, if it helps here is the article I followed to deploy my stack with > Caddy SSL reverse proxy, MariaDB, SSO et'al. The only service directly > accessible is the Caddy reverse proxy. - This link takes you to the > specific docker-compose.yaml section and if you're not using Okta SAML you > can ignore all of that. > https://nathancatania.com/posts/deploy-guacamole-ssl-saml/#3-create-the-docker-compose-file > > > -- > In your service, > Aaron Meyer -- Don M -> www.blueteamhandbook.com Author. Have a BTHb? Will you be at RSAC 2023? Drop by the Infoblox booth for an autograph!
