How to configure firewalld with docker 20.10 [closed]
Asked Answered
S

1

9

I realized that recently docker add integration with firewalld and I just want to setup my server using firewalld instead of iptables boring rules and chains.

This is my docker zone output:


root@test:~# sudo firewall-cmd --zone=docker --list-all 
docker (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: br-0a659f93a5b6 br-be2e44b2b069 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

I had run multiple services including Laravel(nginx port binding 80 -> 5050), mysql, etc. with above config. I expect that anyone cannot access to port 5050, 3306(mysql) but unfortunately firewall has no effect and everything is open and accessible from outside.

and this is docker modules docker modules

Now How really configure firewalld to drop every request excepts allowed ports?

Sims answered 8/3, 2021 at 9:21 Comment(2)
Did you find any solutions?Tressietressure
@Tressietressure No I couldn't find any solution for this and I use ufw-docker for this purpose.Sims
R
2

In summary, the solution is:

  1. Disable iptables in docker
  2. Add masquerade to public zone
  3. Add docker network interface to trusted zone
  4. Add ethernet interface to public zone

Note that this has security implications.

I wrote an article about it here: https://dev.to/soerenmetje/how-to-secure-a-docker-host-using-firewalld-2joo

Rademacher answered 16/3, 2023 at 14:21 Comment(1)
Thank you for writing that blog post! I have been trying to learn enough about netfilter to get firewalld doing DNAT so things work as expected, to avoid the gateway/NAT issue you mention in the post.Anschluss

© 2022 - 2024 — McMap. All rights reserved.