docker with disable iptables and csf firewall
Posted: 25 May 2023, 07:03
Hello,
i try to use csf firewall with docker
i read some tutorial, and i create a working solutions but i have a small problem...
m S.O. is almalinux 9
of course i try to enable
DOCKER = 1
in csf.conf but doesn't work.
so i use this setings and work
nano /etc/docker/daemon.json
nano /etc/csf/csfpost.sh
of course every time i use run a docker i need to restart csf so i often use
docker compose up -d && csf -ra
so for now works all ok, block port 81 (webgui nginx proxy manager) from all internet except for my "whitelist ip"
instead port 80,443 is fully opened.
only problem i found is in nginx proxy log i read
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 172.18.0.1] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"
so client is gateway of docker network 172.18.0.1
instead if i enable iptables in docker and disable csf firewall i read in log
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 1.2.3.4] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"
so client is exactly public ip of my decvice...
i think problem is rules FORWARD (or MASQUERADE) but i can't find a solution for this...
can someone help me?
i try with
https://github.com/juli3nk/csf-post-doc ... /docker.sh
but after all container don't work...
thank you in advance
i try to use csf firewall with docker
i read some tutorial, and i create a working solutions but i have a small problem...
m S.O. is almalinux 9
of course i try to enable
DOCKER = 1
in csf.conf but doesn't work.
so i use this setings and work
nano /etc/docker/daemon.json
Code: Select all
{
"iptables": false
}
Code: Select all
#!/bin/bash
PATH=/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
# si trova da ssh con comando : echo $PATH
echo "[DOCKER] Setting up FW rules."
iptables -N DOCKER
bridges=`docker network ls -q --filter='Driver=bridge'`
for bridge in $bridges; do
DOCKER_NET_INT=`docker network inspect -f '{{"'br-$bridge'" | or (index .Options "com.docker.network.bridge.name")}}' $bridge`
subnet=`docker network inspect -f '{{(index .IPAM.Config 0).Subnet}}' $bridge`
iptables -t nat -A POSTROUTING -s $subnet ! -o $DOCKER_NET_INT -j MASQUERADE
iptables -t filter -A FORWARD -o $DOCKER_NET_INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i $DOCKER_NET_INT ! -o $DOCKER_NET_INT -j ACCEPT
iptables -t filter -A FORWARD -i $DOCKER_NET_INT -o $DOCKER_NET_INT -j ACCEPT
done
echo "[DOCKER] Done."
docker compose up -d && csf -ra
so for now works all ok, block port 81 (webgui nginx proxy manager) from all internet except for my "whitelist ip"
instead port 80,443 is fully opened.
only problem i found is in nginx proxy log i read
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 172.18.0.1] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"
so client is gateway of docker network 172.18.0.1
instead if i enable iptables in docker and disable csf firewall i read in log
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 1.2.3.4] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"
so client is exactly public ip of my decvice...
i think problem is rules FORWARD (or MASQUERADE) but i can't find a solution for this...
can someone help me?
i try with
https://github.com/juli3nk/csf-post-doc ... /docker.sh
but after all container don't work...
thank you in advance