Issue / lack of comprehension about docker and iptables mechanics

maverickws · February 14, 2019, 2:33pm

Hi guys I got an issue hoping y’all can help me

I’m going to put this here from the start.

I don’t have a long experience with Docker, I had used it a couple of times in projects but never to the point of becoming fully aware of more advanced implementations of docker, and also I have gotten used to the laziness of firewalld.

So for a project I was testing a model where I have a server that solely runs docker containers, it’s a CentOS7 minimal setup, updated, and with docker installed via script.

I launched a db container and opened the ports through firewalld as customary. I created a zone and inserted the rules there, in the case:

firewall-cmd --permanent --new-zone=test-from-home && firewall-cmd --reload
firewall-cmd --permanent --zone=test-from-home --add-service=mysql
firewall-cmd --permanent --zone=test-from-home --add-source=XX.XX.XX.XX/32
firewall-cmd --reload

And I was able to connect. Nothing new here, the issue arises when I realize I can connect from anywhere.
So this is how firewalld is looking like:

[root@nd01 latest]# firewall-cmd --get-active-zones
test-from-home
  sources: XX.XX.XX.XX/32
public
  interfaces: eth0

firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

firewall-cmd --zone=test-from-home --list-all
test-from-home (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: XX.XX.XX.XX/32
  services: mysql
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

So ok I came across that docker doesn’t do firewalld, instead uses it’s own iptables implementation:
Docker :: iptables

So I added a rule to DOCKER-USER:

iptables -I DOCKER-USER -i eth0 ! -s XX.XX.XX.XX -j DROP

… and I’m still able to connect.
So I removed this rule and added another.

iptables -I INPUT 3 ! -s XX.XX.XX.XX/32 -j REJECT

and the INPUT chain looks like:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere            
3    REJECT     all  -- !XX.XX.XX.XX  anywhere             reject-with icmp-port-unreachable
4    INPUT_direct  all  --  anywhere             anywhere            
5    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
6    INPUT_ZONES  all  --  anywhere             anywhere            
7    DROP       all  --  anywhere             anywhere             ctstate INVALID
8    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

and here is the output of iptables -L --list-number:

Chain INPUT (policy ACCEPT)
num  target     				prot 	opt source               destination
1    ACCEPT     				all  	--  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     				all  	--  anywhere             anywhere
3    REJECT     				all  	-- !XX.XX.XX.XX  anywhere             reject-with icmp-port-unreachable
4    INPUT_direct  				all  	--  anywhere             anywhere
5    INPUT_ZONES_SOURCE  		all  	--  anywhere             anywhere
6    INPUT_ZONES  				all  	--  anywhere             anywhere
7    DROP       				all  	--  anywhere             anywhere             ctstate INVALID
8    REJECT     				all  	--  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
num  target     				prot 	opt source               destination
1    DOCKER-USER  				all  	--  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-1  	all  	--  anywhere             anywhere
3    ACCEPT     				all  	--  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     				all  	--  anywhere             anywhere
5    ACCEPT     				all  	--  anywhere             anywhere
6    ACCEPT     				all  	--  anywhere             anywhere
7    ACCEPT     				all  	--  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8    ACCEPT     				all  	--  anywhere             anywhere
9    FORWARD_direct  			all  	--  anywhere             anywhere
10   FORWARD_IN_ZONES_SOURCE  	all  	--  anywhere             anywhere
11   FORWARD_IN_ZONES  			all  	--  anywhere             anywhere
12   FORWARD_OUT_ZONES_SOURCE  	all  	--  anywhere             anywhere
13   FORWARD_OUT_ZONES  		all  	--  anywhere             anywhere
14   DROP       				all  	--  anywhere             anywhere             ctstate INVALID
15   REJECT     				all  	--  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     				prot 	opt source               destination
1    OUTPUT_direct  			all  	--  anywhere             anywhere

Chain DOCKER (1 references)
num  target     				prot 	opt source               destination
1    ACCEPT     				tcp  	--  anywhere             172.17.0.2           tcp dpt:mysql

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     				prot 	opt source               destination
1    DOCKER-ISOLATION-STAGE-2  	all  	--  anywhere             anywhere
2    RETURN     				all  	--  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num  target     				prot 	opt source               destination
1    DROP       				all  	--  anywhere             anywhere
2    RETURN     				all  	--  anywhere             anywhere

Chain DOCKER-USER (1 references)
num  target     				prot opt source               destination
1    DROP       				all  -- !a95-93-31-116.cpe.netcabo.pt  anywhere
2    RETURN     all  --  anywhere             anywhere

Chain FORWARD_IN_ZONES (1 references)
num  target     				prot 	opt source               destination
1    FWDI_public  				all  	--  anywhere             anywhere            [goto]
2    FWDI_public  				all  	--  anywhere             anywhere            [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
num  target     				prot 	opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
num  target     				prot 	opt source               destination
1    FWDO_public  				all  	--  anywhere             anywhere            [goto]
2    FWDO_public  				all  	--  anywhere             anywhere            [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num  target     				prot 	opt source               destination

Chain FORWARD_direct (1 references)
num  target     				prot 	opt source               destination

Chain FWDI_public (2 references)
num  target     				prot 	opt source               destination
1    FWDI_public_log  			all  	--  anywhere             anywhere
2    FWDI_public_deny  			all  	--  anywhere             anywhere
3    FWDI_public_allow  		all  	--  anywhere             anywhere
4    ACCEPT     				icmp 	--  anywhere             anywhere

Chain FWDI_public_allow (1 references)
num  target     				prot 	opt source               destination

Chain FWDI_public_deny (1 references)
num  target     				prot 	opt source               destination

Chain FWDI_public_log (1 references)
num  target     				prot 	opt source               destination

Chain FWDO_public (2 references)
num  target     				prot 	opt source               destination
1    FWDO_public_log  			all  	--  anywhere             anywhere
2    FWDO_public_deny  			all  	--  anywhere             anywhere
3    FWDO_public_allow  		all  	--  anywhere             anywhere

Chain FWDO_public_allow (1 references)
num  target     				prot 	opt source               destination

Chain FWDO_public_deny (1 references)
num  target     				prot 	opt source               destination

Chain FWDO_public_log (1 references)
num  target     				prot 	opt source               destination

Chain INPUT_ZONES (1 references)
num  target     				prot 	opt source               destination
1    IN_public  				all  	--  anywhere             anywhere            [goto]
2    IN_public  				all  	--  anywhere             anywhere            [goto]

Chain INPUT_ZONES_SOURCE (1 references)
num  target     				prot 	opt source               destination

Chain INPUT_direct (1 references)
num  target     				prot 	opt source               destination

Chain IN_public (2 references)
num  target     				prot 	opt source               destination
1    IN_public_log  			all  	--  anywhere             anywhere
2    IN_public_deny  			all  	--  anywhere             anywhere
3    IN_public_allow  			all  	--  anywhere             anywhere
4    ACCEPT     				icmp 	--  anywhere             anywhere

Chain IN_public_allow (1 references)
num  target     				prot 	opt source               destination
1    ACCEPT     				tcp  	--  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
num  target     				prot 	opt source               destination

Chain IN_public_log (1 references)
num  target     				prot 	opt source               destination

Chain OUTPUT_direct (1 references)
num  target     				prot 	opt source               destination

Thank you

Topic		Replies	Views
Docker and Firewalld configuration to drop access to local networks General	0	420	April 20, 2023
Cannot block "exposed" ports for incoming connections - CentOs7/firewalld General	3	2230	November 1, 2018
Docker and `firewalld`: "could not resolve host" from my containers General docker	2	183	September 16, 2024
Container linking on centos 7 / boot2docker Boot2Docker	1	2512	January 20, 2015
Seems like firewalld is not honouring rich rules, to give docker container outside connection aside from ping General	1	1283	November 22, 2021

Issue / lack of comprehension about docker and iptables mechanics

Related topics