Hello, I’ve setup some web applications which can be reach by an nginx-proxy and that works fine. Now I want to close all ports except 80 and 443 for incoming requests. But I’m stucked.

I’ve restarted docker after configuring the firewall - as I read in some forums, but it didn’t help - ports where still reachable from outside.

My Question is: Did anybody successfully configured a firewalld on its centos7 and how?

My config consists of 2 zones public and trusted.

sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: 
  ports: 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

firewall-cmd --zone=trusted --list-all
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I just use iptables for this kind of thing. This should do the trick when run on the container (assuming iface is eth0):

# first, drop ALL incoming traffic
iptables -P INPUT DROP

# now, open up 80 and 443
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Thanks Justin for the answer. I did it like you suggested but its still not working.

What I did was put the commands in script and execute it in a screen session to not break the session after “DROP”.

The Result is that the other ports where still visible using nmap and telnet to one of the ports told me "Connected to "

It seems that the firewall handling from docker and iptables-command is different.

Are you using the right interface? Can you run the ‘drop’ command through SSH, and see if it disconnects the session? I’d like to confirm iptables is working on your container.

EDIT: Can you show us the output of ‘ifconfig’ as well?