Docker support

Post Reply
getup
Junior Member
Posts: 7
Joined: 27 Dec 2013, 19:38

Docker support

Post by getup »

Will ConfigServer Firewall support Docker hosts in the future? We'd like to firewall the hosts Docker runs on and it would be cool if this is possible from within CSF.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Docker support

Post by ForumAdmin »

If you can confirm that the configuration in this post works:
viewtopic.php?t=8793#p25123
We can look into adding support for it.
getup
Junior Member
Posts: 7
Joined: 27 Dec 2013, 19:38

Re: Docker support

Post by getup »

I'm afraid it doesn't. We lose all connectivity once Docker restarts. The only solution we have is to restart Docker when that happens.
getup
Junior Member
Posts: 7
Joined: 27 Dec 2013, 19:38

Re: Docker support

Post by getup »

I finally got around writing up a working set of firewall rules in combination with CSF. We have bundled it with our CSF Puppet module that is available on GitHub and the Puppet Forge. The script itself can be found here:

https://github.com/sensson/puppet-csf/b ... _docker.sh

By default it does not allow incoming traffic to containers.

We have implemented it ourselves by sourcing the script into csfpost.sh. The following is a working example that you could use in a Docker Compose setup in case you want to allow traffic to the nginx-proxy.

Code: Select all

#!/bin/sh
. /etc/csf/docker.sh
open_port nginx-proxy 80 80 (optional source cidr: 192.168.1.0/24) (optional network name: data_network)
If you don't use open_port it would only allow traffic from the host and between containers.
getup
Junior Member
Posts: 7
Joined: 27 Dec 2013, 19:38

Re: Docker support

Post by getup »

One thing I forgot to add is that you need to disable Docker's interference with iptables. If you leave it on Docker will add rules for you.

On CentOS this would be in /etc/sysconfig/docker:

Code: Select all

OPTIONS=" -H unix:///var/run/docker.sock --ip-forward=true --iptables=false --ip-masq=true"
Post Reply