Hi all!
My issue is that docker stack deploy -c compose.yml site
still writes to iptables, even though I have {iptables: false}
in my daemon.json file.
Does anyone know how to block docker stack deploy
from writing my iptables to listen on public ports? Or am I missing something obvious?
I’m using nginx as a reverse proxy to forward all my docker services to my domain. However the ports are still opened by docker.
When I run a container using something like docker run -d site -p 5000:3000
, 5000 is unavailable to the public. However with docker stack ...
it is available.
I have a docker stack with a compose file like this:
version: "3"
services:
site:
image: repo/site
deploy:
restart_policy:
condition: any
delay: 5s
max_attempts: 5
window: 120s
ports:
- 5000:3000
I’ve allowed my containers to access the internet by manually adding the following. The second one is for gwbridge which I believe needs access for swarms to connect to the internet.
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker_gwbridge -s 172.19.0.0/16 -j MASQUERADE
COMMIT
My ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
443/tcp (Nginx HTTPS) ALLOW IN Anywhere
80/tcp (Nginx HTTP) ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
443/tcp (Nginx HTTPS (v6)) ALLOW IN Anywhere (v6)
80/tcp (Nginx HTTP (v6)) ALLOW IN Anywhere (v6)
and my iptables -L | grep -A 5 -B 2 -i docker
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-INGRESS all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
--
ufw-track-output all -- anywhere anywhere
Chain DOCKER-INGRESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:5000
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:5000
ACCEPT tcp -- anywhere anywhere tcp dpt:50000
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:50000
--
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination