This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/DominusGecko on 2025-08-08 10:19:43+00:00.

How do you all avoid lateral movement and inter-container communication?

• Container MyWebPage: exposes port 8000 – public service that binds to example.com
• Container Portainer: exposes port 3000 – private service that binds portainer.example.com (only accessible through VPN or whatever)

Now, a vulnerability in container MyWebPage is found and remote code execution is now a thing. They can access the container’s shell. From there, they can easily access your LAN, Portainer or your entire VPN: nc 192.168.1.2 3000.

From what I found online, the answer is to either setup persistent iptables or disable networking for the container… Are these the only choices? How do you manage this risk?