Port forwarding and tunneling in ChromeOS

localhost to Crostini

ChromeOS will forward ports from localhost into Crostini. This allows developers to use Chrome to access their development environment inside Crostini.

cicerone will ask chunnel to tunnel all ports listening in the Crostini container, except:

• Privileged (<1024) since chunnel lacks CAP_NET_BIND_SERVICE.
• 2222 (SFTP for the ChromeOS Files app) and 5355 (Link-Local Multicast Name Resolution) which are blocked.

Moreover, tunneled ports are locked down to reject traffic from non-chronos UIDs.