Thanks Simon - good point. Right now, we're allow docker to manage some iptables stuff to support isolation between different docker compose instances which could be running on the same host. We might need to modify that.
BR, Sean. __________________________________ Sean Murphy Senior Platform Engineer sean.mur...@datahouse.ch T +41 44 289-84-22 www<http://www.wuestpartner.com>.datahouse.ch Linkedin<https://www.linkedin.com/company/wuestpartner/posts/?feedView=all&viewAsMember=true> | YouTube<https://www.youtube.com/channel/UC4Esiu5N_zg2JRERufw5HvA> __________________________________ ________________________________ From: Simon Matter <simon.mat...@invoca.ch> Sent: Thursday, March 20, 2025 11:23 AM To: Shorewall Users <shorewall-users@lists.sourceforge.net> Cc: Sean Murphy <sean.mur...@datahouse.ch> Subject: Re: [Shorewall-users] Problems accessing host from docker container running on host [You don't often get email from simon.mat...@invoca.ch. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > Thanks Matt. > > Yes - if I do a shorewall clear, it's possible to access the host from > inside the docker container. The > default docker iptables config seems to support this. However, when I > enable shorewall (with docker > support), it's not possible. > > It really seems like some interaction between the docker iptables > functionality and the shorewall > iptables functionality is causing the problem and more specifically, on > the return path from the service > running on the host to the docker container. Maybe you have to configure docker so that it doesn't fiddle with the iptables config? Simon > > It could be something of an edge case as mostly the point of having > containers is to have (some) > isolation from the host but we think it prob should be possible to eg > access stuff from inside the > containers which is accessible from anywhere on the internet. > > Thanks for any insights. > > BR, > Sean. > > __________________________________ > Sean Murphy > Senior Platform Engineer > sean.mur...@datahouse.ch > T +41 44 289-84-22 > www.datahouse.ch<http://www.datahouse.ch> > Linkedin | YouTube > __________________________________ > > > ________________________________________ > From: Matt Darfeuille <m...@shorewall.org> > Sent: Wednesday, March 19, 2025 8:19 PM > To: shorewall-users@lists.sourceforge.net > <shorewall-users@lists.sourceforge.net> > Subject: Re: [Shorewall-users] Problems accessing host from docker > container running on host > > [You don't often get email from m...@shorewall.org. Learn why this is > important at https://aka.ms/LearnAboutSenderIdentification ] > > On 3/19/25 10:49, Sean Murphy via Shorewall-users wrote: >> Hi all,, >> >> We have been (ab)using shorewall for some years now and we're v happy >> with it - >> thanks everyone and Tom in particular for such a great tool. >> >> We have been using it to manage security for a set of VMs running >> applications >> with docker-compose. Almost all of our hosts have a single external >> network >> interface; this is perhaps not the use case for which shorewall was >> designed >> but it has been working for us so far. >> >> We now have a scenario which is proving more difficult: we want to >> access a >> service running on a host from within a container. >> >> We have tried the most open configuration possible - a policy with >> all:all >> ACCEPT and no rules; it seems the service is accessible from anywhere >> except >> inside the docker container. >> >> Accessing the service from inside the container results in timeouts, so >> presumably >> the packets are being dropped somewhere. We tried ping, ssh (on standard >> ports) >> and an http service running on a high port number. >> >> Zone configuration: >> root@dhit-disposable01:/etc/shorewall# cat zones >> ############################################################################### >> #ZONE TYPE OPTIONS >> IN OUT >> # >> OPTIONS OPTIONS >> fw firewall >> net ipv4 >> dock ipv4 >> >> Interface configuration: >> root@dhit-disposable01:/etc/shorewall# cat interfaces >> ############################################################################### >> ?FORMAT 2 >> ############################################################################### >> #ZONE INTERFACE OPTIONS >> net eth physical=eth+,dhcp,nosmurfs >> net en physical=en+,dhcp,nosmurfs >> dock docker0 physical=docker+,routeback=1 >> dock br physical=br-+,routeback=1 >> >> Policy configuration: >> root@dhit-disposable01:/etc/shorewall# cat policy >> #SOURCE DEST POLICY LOGLEVEL LIMIT >> all all ACCEPT >> >> Rules configuration: >> root@dhit-disposable01:/etc/shorewall# cat rules >> #ACTION SOURCE DEST PROTO DPORT >> # No rules >> >> Docker configuration as per shorewall.conf >> root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf >> # Default shorewall config, except for DOCKER=Yes (and this comment). >> DOCKER=Yes >> DOCKER_BRIDGE=docker0 >> >> I did shorewall compile, safe-reload and then restarted the docker >> deamon but >> the packets still seem to be being dropped. I tried iptables-tracer [1] >> to get some >> info on where they disappear and it seems packets are being dropped on >> the >> return path. > > If you do a `shorewall clear`, does it work at all? > > > Note that the project is unmaintained. > > -- > Matt Darfeuille <m...@shorewall.org> > Unmaintained project, no more releases or bug fixes > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
