Thank you all so much for the info. I'll work on this over the weekend. On Tue, Aug 22, 2023 at 3:59 PM Daniel Walsh <dwa...@redhat.com> wrote:
> On 8/20/23 10:05, Oleg Cherkasov wrote: > > On 19.08.2023 16:48, Alex wrote: > >> Hi, > >> I'm a long-time Linux sysadmin but haven't done much with docker and > >> containers or firewalls beyond iptables. I have inherited a fedora38 > >> system where another admin has installed python3-docker, but port > >> 8080 is now exposed to the Internet. > >> > >> I have a basic iptables firewall that I set up some time ago (when > >> the system was probably fedora35), but iptables also shows some > >> docker rules: > >> > >> # iptables -nvL|grep ^Chain|grep DOCKER > >> Chain DOCKER (2 references) > >> Chain DOCKER-ISOLATION-STAGE-1 (1 references) > >> Chain DOCKER-ISOLATION-STAGE-2 (2 references) > >> > >> Where do these chains/policies come from? Is it also an iptables > >> firewall or is it using ufw? > >> > >> Why wouldn't it use firewall-cmd? Isn't that the default desktop > >> firewall app now for fedora? > > > > The docker doesn't play well with ufw or firewalld, in my experience. > > It customizes rules directly, which makes it difficult to control with > > publicly available networks. The simplest way to do firewall > > customization is to turn off firewall customization in the docker and > > do it manually. > > > > Firstly, update docker.service to include the following option > > (--iptables=false): > > > > /etc/systemd/system/docker.service.d/override.conf > > [Service] > > ExecStart= > > ExecStart=/usr/bin/dockerd -H fd:// > > --containerd=/run/containerd/containerd.sock > > --iptables=false > > > > Restart the Docker service and verify the existence of the Docker zone > > if using firewalld: > > > > docker (active) > > target: ACCEPT > > icmp-block-inversion: no > > interfaces: br-custom1 br-custom2 docker0 > > sources: > > services: > > ports: > > protocols: > > masquerade: no > > forward-ports: > > source-ports: > > icmp-blocks: > > rich rules: > > > > Add the available docker bridge interfaces (br-custom* and docker0) to > > the docker zone. Check if the target zone is ACCEPT instead of default. > > > > I hope that helps. > > > > > You could always switch to using Podman, which will not open the port on > the host by default. > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
