Re: docker firewall?

Tue, 22 Aug 2023 12:58:57 -0700 

On 8/20/23 10:05, Oleg Cherkasov wrote:

On 19.08.2023 16:48, Alex wrote:

Hi,
I'm a long-time Linux sysadmin but haven't done much with docker and containers or firewalls beyond iptables. I have inherited a fedora38 system where another admin has installed python3-docker, but port 8080 is now exposed to the Internet. 


I have a basic iptables firewall that I set up some time ago (when 
the system was probably fedora35), but iptables also shows some 
docker rules:


# iptables -nvL|grep ^Chain|grep DOCKER
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (2 references)


Where do these chains/policies come from? Is it also an iptables 
firewall or is it using ufw?



Why wouldn't it use firewall-cmd? Isn't that the default desktop 
firewall app now for fedora?



The docker doesn't play well with ufw or firewalld, in my experience. 
It customizes rules directly, which makes it difficult to control with 
publicly available networks.  The simplest way to do firewall 
customization is to turn off firewall customization in the docker and 
do it manually.



Firstly, update docker.service to include the following option 
(--iptables=false):


/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=

ExecStart=/usr/bin/dockerd -H fd:// 
--containerd=/run/containerd/containerd.sock

 --iptables=false


Restart the Docker service and verify the existence of the Docker zone 
if using firewalld:


docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-custom1 br-custom2 docker0
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


Add the available docker bridge interfaces (br-custom* and docker0) to 
the docker zone.  Check if the target zone is ACCEPT instead of default.


I hope that helps.



You could always switch to using Podman, which will not open the port on 
the host by default.

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to