Iptables rules for host and docker services on same machine

General
1

I’m running a VM which exposes a couple of host-level services like sshd and rsyncd.
Also, I run a docker-compose project running nginx reverse proxy for bunch of other containers in the same project.

I’m having problems figuring out iptables rules for docker stuff where if I run an nginx reverse proxy container which is exposed at ports 80 and 443.

When I try removing iptables rules that allow traffic to these ports, it’s like I did nothing and I’m still able to access web server, I wonder why is that?

Perhaps it’s something in my rules or docker itself that borks the firewall and if possible, I’d like some help wit this as nothing I’ve read or tried yielded results.

Currently, I use these rules:


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

# Accept related and established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow localhost and WireGuard interface
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT

# Drop invalid packets first
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Allow host services
-A INPUT -p tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp --dport 873 -m comment --comment "Allow rsyncd" -j ACCEPT
-A INPUT -p udp --dport 51820 -m comment --comment "Allow WireGuard" -j ACCEPT

# Log unmatched packets
-A INPUT -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "BLOCKED: "

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i br-+ -o ens3 -j ACCEPT

# Allow explicitly permitted container services
-A DOCKER-USER -p tcp --dport 80 -m comment --comment "Allow HTTP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
-A DOCKER-USER -p tcp --dport 24456 -m comment --comment "Allow Peers TCP" -j ACCEPT
-A DOCKER-USER -p udp --dport 24456 -m comment --comment "Allow Peers UDP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 50300 -m comment --comment "Allow Slskd TCP" -j ACCEPT
-A DOCKER-USER -p udp --dport 50300 -m comment --comment "Allow Slskd UDP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 2022 -m comment --comment "Allow SFTPGo SFTP" -j ACCEPT

# Default deny
-A DOCKER-USER -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE

COMMIT

Anything wrong with any of this that could help blocking access to a webserver?

2

I’m not the best to help with iptables rules, but why do you even need it in the first place? If you don’t forward host ports to containers, the ports in containers will not be available. Maybe I misunderstood your issue.

3

I use fail2ban to block malicious behavior to my swag reverse proxy thats running as container.
Thats primary motivation, the rest is there just for completeness.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.