ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

docker bridge problem.

https://mail.forum.configserver.com/viewtopic.php?t=11012

Page 1 of 1

docker bridge problem.

Posted: 25 Oct 2018, 12:36
by Cyon
Hello. I like csf and use it on all servers. Some times ago I try to use docker. If I use network as host-mode and enable docker in csf.conf - all worked fine. But if I use docker-compose with bridge network - it's not worked. I find some script to fix it puppet-csf .
Now docker work fine and csf worked, but script create DOCKER-ISOLATIONS rule and csf blocks all ports without port used by docker: example 80 or 443.

If I use only script, without csf and clear iptables I see this:

Code: Select all

# Generated by iptables-save v1.6.0 on Wed Oct 24 09:08:54 2018
*mangle
:PREROUTING ACCEPT [249:18574]
:INPUT ACCEPT [172:11228]
:FORWARD ACCEPT [77:7346]
:OUTPUT ACCEPT [123:16332]
:POSTROUTING ACCEPT [200:23678]
COMMIT
# Completed on Wed Oct 24 09:08:54 2018
# Generated by iptables-save v1.6.0 on Wed Oct 24 09:08:54 2018
*raw
:PREROUTING ACCEPT [253:19229]
:OUTPUT ACCEPT [132:17040]
COMMIT
# Completed on Wed Oct 24 09:08:54 2018
# Generated by iptables-save v1.6.0 on Wed Oct 24 09:08:54 2018
*nat
:PREROUTING ACCEPT [2:100]
:INPUT ACCEPT [2:100]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [8:480]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-e822a1a26656 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-e822a1a26656 -j RETURN
-A DOCKER ! -i br-e822a1a26656 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.7:443
-A DOCKER ! -i br-e822a1a26656 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.7:80
# Completed on Wed Oct 24 09:08:54 2018
# Generated by iptables-save v1.6.0 on Wed Oct 24 09:08:54 2018
*filter
:INPUT ACCEPT [42:3637]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42:5973]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-e822a1a26656 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e822a1a26656 -j DOCKER
-A FORWARD -i br-e822a1a26656 ! -o br-e822a1a26656 -j ACCEPT
-A FORWARD -i br-e822a1a26656 -o br-e822a1a26656 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-e822a1a26656 -o br-e822a1a26656 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-e822a1a26656 -o br-e822a1a26656 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i docker0 -o br-e822a1a26656 -j DROP
-A DOCKER-ISOLATION -i br-e822a1a26656 -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
COMMIT
Maybe I need replace DOCKER-ISOLATION with any csf rules? Can any help me with this?
Or how you use csf with docker bridge networks?

Re: docker bridge problem.

Posted: 05 Nov 2018, 07:50
by Cyon
I find the solution (not fully worked). I remove DOCKER-ISOLATION.
Than I change

Code: Select all

-A DOCKER -d 172.18.0.7/32 ! -i br-e822a1a26656 -o br-e822a1a26656 -p tcp -m tcp --dport 443 -j ACCEPT
to

Code: Select all

-A DOCKER -d 172.18.0.7/32 ! -i br-e822a1a26656 -o br-e822a1a26656 -p tcp -m tcp --dport 443 -j LOCALINPUT
-A DOCKER -d 172.18.0.7/32 ! -i br-e822a1a26656 -o br-e822a1a26656 -p tcp -m tcp --dport 443 -j ACCEPT
Now temporary block and deny - worked fine.
But "Connection Tracking/CONNLIMIT/PORTFLOOD" not working. I think that I can add rule manually to "-A DOCKER".

Re: docker bridge problem.

Posted: 04 Oct 2019, 18:34
by elsevero
Hi Cyon,

I know what it has been a while since you've posted this message.

Currently I'm facing a strange issue and that is:

Running the Docker CSF puppet bash script after I've run docker-compose up

Code: Select all

https://raw.githubusercontent.com/sensson/puppet-csf/master/templates/csf_docker.sh
and everything works fine, after stopping the docker containers and run them again (meaning running the docker-compose up) then the communication with the containers are no longer working.

I've tried to add to

Code: Select all

/etc/csf/csfpost.sh
the following content (at the bottom of the file)

Code: Select all

source /etc/csf/csf_docker.sh
My question to you, or anybody.

How do I fire the csf_docker.sh bash script after docker-compose up ? Or is there a change to make those changes permanently?

Re: docker bridge problem.

Posted: 04 Oct 2019, 18:46
by elsevero
In my case I've solved by following those steps: https://jimfrenette.com/2018/02/vps-pro ... traefik/2/
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited