Well, it would seem to me that's the problem - your VM is in the Docker zone, and the host you want to access is in the Fw zone. Shorewall default policy won't let traffic cross between those two zones, unless you either change the policy, or add some specific rules.

On 2025-03-21 6:42 a.m., Sean Murphy via Shorewall-users wrote:
Thanks for the tip Winston - particularly relating to the deltas; I suspect 
it's something
relating to docker-shorewall interactions, so I'll try to focus on this.

The host is a VM. The zones we have are:
- Docker (for traffic on the docker bridges)
- Fw for the host/VM
- Net for traffic with source/dest outside the machine

I'll have a look into the change detection methods you flagged to see if I can 
see
something there.

BR,
Sean.


__________________________________
Sean Murphy
Senior Platform Engineer
sean.mur...@datahouse.ch
T +41 44  289-84-22
www.datahouse.ch
Linkedin | YouTube
__________________________________


________________________________________
From: Winston Sorfleet <w...@romanus.ca>
Sent: Thursday, March 20, 2025 6:23 PM
To: shorewall-users@lists.sourceforge.net 
<shorewall-users@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Problems accessing host from docker container 
running on host
[You don't often get email from w...@romanus.ca. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Pending my previous question about whether the VM and the host are in
the same zone, you might bet some clues from doing

shorewall start; iptables -S > /tmp/shorewall_on

shorewall clear; iptables -S > /tmp/shorewall_clear

diff /tmp/shorewall_on /tmp/shorewall_clear


On 2025-03-20 06:23, Simon Matter wrote:
Thanks Matt.

Yes - if I do a shorewall clear, it's possible to access the host from
inside the docker container. The
default docker iptables config seems to support this. However, when I
enable shorewall (with docker
support), it's not possible.

It really seems like some interaction between the docker iptables
functionality and the shorewall
iptables functionality is causing the problem and more specifically, on
the return path from the service
running on the host to the docker container.
Maybe you have to configure docker so that it doesn't fiddle with the
iptables config?

Simon

It could be something of an edge case as mostly the point of having
containers is to have (some)
isolation from the host but we think it prob should be possible to eg
access stuff from inside the
containers which is accessible from anywhere on the internet.

Thanks for any insights.

BR,
Sean.

__________________________________
Sean Murphy
Senior Platform Engineer
sean.mur...@datahouse.ch
T +41 44  289-84-22
www.datahouse.ch
Linkedin | YouTube
__________________________________


________________________________________
From: Matt Darfeuille <m...@shorewall.org>
Sent: Wednesday, March 19, 2025 8:19 PM
To: shorewall-users@lists.sourceforge.net
<shorewall-users@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Problems accessing host from docker
container running on host

[You don't often get email from m...@shorewall.org. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]

On 3/19/25 10:49, Sean Murphy via Shorewall-users wrote:
Hi all,,

We have been (ab)using shorewall for some years now and we're v happy
with it -
thanks everyone and Tom in particular for such a great tool.

We have been using it to manage security for a set of VMs running
applications
with docker-compose. Almost all of our hosts have a single external
network
interface; this is perhaps not the use case for which shorewall was
designed
but it has been working for us so far.

We now have a scenario which is proving more difficult: we want to
access a
service running on a host from within a container.

We have tried the most open configuration possible - a policy with
all:all
ACCEPT and no rules; it seems the service is accessible from anywhere
except
inside the docker container.

Accessing the service from inside the container results in timeouts, so
presumably
the packets are being dropped somewhere. We tried ping, ssh (on standard
ports)
and an http service running on a high port number.

Zone configuration:
root@dhit-disposable01:/etc/shorewall# cat zones
###############################################################################
#ZONE           TYPE      OPTIONS
IN                      OUT
#
OPTIONS                 OPTIONS
fw              firewall
net             ipv4
dock            ipv4

Interface configuration:
root@dhit-disposable01:/etc/shorewall# cat interfaces
###############################################################################
?FORMAT 2
###############################################################################
#ZONE   INTERFACE                 OPTIONS
net     eth                       physical=eth+,dhcp,nosmurfs
net     en                        physical=en+,dhcp,nosmurfs
dock    docker0                   physical=docker+,routeback=1
dock    br                        physical=br-+,routeback=1

Policy configuration:
root@dhit-disposable01:/etc/shorewall# cat policy
#SOURCE        DEST        POLICY      LOGLEVEL    LIMIT
all            all         ACCEPT

Rules configuration:
root@dhit-disposable01:/etc/shorewall# cat rules
#ACTION      SOURCE                  DEST       PROTO      DPORT
# No rules

Docker configuration as per shorewall.conf
root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf
# Default shorewall config, except for DOCKER=Yes (and this comment).
DOCKER=Yes
DOCKER_BRIDGE=docker0

I did shorewall compile, safe-reload and then restarted the docker
deamon but
the packets still seem to be being dropped. I tried iptables-tracer [1]
to get some
info on where they disappear and it seems packets are being dropped on
the
return path.
If you do a `shorewall clear`, does it work at all?


Note that the project is unmaintained.

--
Matt Darfeuille <m...@shorewall.org>
Unmaintained project, no more releases or bug fixes
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to