Hi guys I got an issue hoping y’all can help me
I’m going to put this here from the start.
I don’t have a long experience with Docker, I had used it a couple of times in projects but never to the point of becoming fully aware of more advanced implementations of docker, and also I have gotten used to the laziness of firewalld.
So for a project I was testing a model where I have a server that solely runs docker containers, it’s a CentOS7 minimal setup, updated, and with docker installed via script.
I launched a db container and opened the ports through firewalld as customary. I created a zone and inserted the rules there, in the case:
firewall-cmd --permanent --new-zone=test-from-home && firewall-cmd --reload
firewall-cmd --permanent --zone=test-from-home --add-service=mysql
firewall-cmd --permanent --zone=test-from-home --add-source=XX.XX.XX.XX/32
firewall-cmd --reload
And I was able to connect. Nothing new here, the issue arises when I realize I can connect from anywhere.
So this is how firewalld is looking like:
[root@nd01 latest]# firewall-cmd --get-active-zones
test-from-home
sources: XX.XX.XX.XX/32
public
interfaces: eth0
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=test-from-home --list-all
test-from-home (active)
target: default
icmp-block-inversion: no
interfaces:
sources: XX.XX.XX.XX/32
services: mysql
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
So ok I came across that docker doesn’t do firewalld, instead uses it’s own iptables implementation:
Docker :: iptables
So I added a rule to DOCKER-USER:
iptables -I DOCKER-USER -i eth0 ! -s XX.XX.XX.XX -j DROP
… and I’m still able to connect.
So I removed this rule and added another.
iptables -I INPUT 3 ! -s XX.XX.XX.XX/32 -j REJECT
and the INPUT chain looks like:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 REJECT all -- !XX.XX.XX.XX anywhere reject-with icmp-port-unreachable
4 INPUT_direct all -- anywhere anywhere
5 INPUT_ZONES_SOURCE all -- anywhere anywhere
6 INPUT_ZONES all -- anywhere anywhere
7 DROP all -- anywhere anywhere ctstate INVALID
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
and here is the output of iptables -L --list-number:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 REJECT all -- !XX.XX.XX.XX anywhere reject-with icmp-port-unreachable
4 INPUT_direct all -- anywhere anywhere
5 INPUT_ZONES_SOURCE all -- anywhere anywhere
6 INPUT_ZONES all -- anywhere anywhere
7 DROP all -- anywhere anywhere ctstate INVALID
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
num target prot opt source destination
1 DOCKER-USER all -- anywhere anywhere
2 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
4 DOCKER all -- anywhere anywhere
5 ACCEPT all -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
8 ACCEPT all -- anywhere anywhere
9 FORWARD_direct all -- anywhere anywhere
10 FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
11 FORWARD_IN_ZONES all -- anywhere anywhere
12 FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
13 FORWARD_OUT_ZONES all -- anywhere anywhere
14 DROP all -- anywhere anywhere ctstate INVALID
15 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 OUTPUT_direct all -- anywhere anywhere
Chain DOCKER (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:mysql
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 DROP all -- !a95-93-31-116.cpe.netcabo.pt anywhere
2 RETURN all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
num target prot opt source destination
1 FWDI_public all -- anywhere anywhere [goto]
2 FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
num target prot opt source destination
1 FWDO_public all -- anywhere anywhere [goto]
2 FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_direct (1 references)
num target prot opt source destination
Chain FWDI_public (2 references)
num target prot opt source destination
1 FWDI_public_log all -- anywhere anywhere
2 FWDI_public_deny all -- anywhere anywhere
3 FWDI_public_allow all -- anywhere anywhere
4 ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
num target prot opt source destination
Chain FWDI_public_deny (1 references)
num target prot opt source destination
Chain FWDI_public_log (1 references)
num target prot opt source destination
Chain FWDO_public (2 references)
num target prot opt source destination
1 FWDO_public_log all -- anywhere anywhere
2 FWDO_public_deny all -- anywhere anywhere
3 FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
num target prot opt source destination
Chain FWDO_public_deny (1 references)
num target prot opt source destination
Chain FWDO_public_log (1 references)
num target prot opt source destination
Chain INPUT_ZONES (1 references)
num target prot opt source destination
1 IN_public all -- anywhere anywhere [goto]
2 IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain INPUT_direct (1 references)
num target prot opt source destination
Chain IN_public (2 references)
num target prot opt source destination
1 IN_public_log all -- anywhere anywhere
2 IN_public_deny all -- anywhere anywhere
3 IN_public_allow all -- anywhere anywhere
4 ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
num target prot opt source destination
Chain IN_public_log (1 references)
num target prot opt source destination
Chain OUTPUT_direct (1 references)
num target prot opt source destination
Thank you