Which iptables Chain for blocking incoming traffic from Host network

General
,
1

Hi there,
My (home)server is running OpenMediaVault 7.7.1-3 (Sandworm) as its host OS. I have several dockers running, one of them is a ngingxpm docker. The host machine is on IP 10.5.1.240. The web-interface for proxy manager i put on Port 8803. This works as expected and i can reach it.

I would now like to create a firewall rule that will block all access (0.0.0.0\0) to port 8803 to be DROPPED. Next to that I want to add a rule to only ALLOW access to port 8803 when the request is coming from 10.5.1.2 (my local administrator PC).

I set up similar rules for SSH on the OMV firewall and this works flawlessly. For docker containers however…it seems like the rules stored in the iptables firewall are skipped/circumvented because Docker also runs a few iptables in parallel (Docker, Docker-User etc).

Now i am using a custom created bridge network inside my Docker to make it easier for all the running dockers to refer/talk to each other.
But in my case i would really like my default firewall in OMV (INPUT chain) to handle all incoming connections first. In short i like the idea of having 1/2 web-interfaces when i can manage everything remotely rather than reverting back to terminal. And so far this seems to be the only situation where i am lacking to do so.

Currently i have tried setting up iptables rules in both Docker-user and NAT PREROUTING chain and still the requests are coming through. I can access the nginxpm docker interface on address 10.5.1.240:8803 from both my own machine (10.5.1.2) but also from any other machine in my network (eg. 10.5.1.6). But i only want to be able to reach it from 10.5.1.2.

These are the current iptable rules i have set up:

Chain DOCKER-USER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  10.5.1.2             anywhere             tcp dpts:8800:8899
DROP       tcp  --  anywhere             anywhere             tcp dpts:8800:8899
RETURN     all  --  anywhere            anywhere

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     6    --  10.5.1.2           0.0.0.0/0            tcp dpts:8800:8899
DROP       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpts:8800:8899

Anyone have an idea how i could solve this? Or could i solve it with an approach thst is better practise?

2

Hello,
You can solve these steps

  1. Ensure DOCKER-USER Chain Is Set Up Correctly
    The DOCKER-USER chain is where you can add custom rules that will apply to Docker containers. You’ve already added a rule to restrict access to port 8803, but you might need to modify it slightly.

In Docker’s iptables, the DOCKER-USER chain is evaluated before the DOCKER chain, so it’s a good place to enforce rules for incoming traffic.

Ensure your DOCKER-USER chain looks like this:

bash
Copy
-A DOCKER-USER -s 10.5.1.2 -p tcp --dport 8803 -j ACCEPT
-A DOCKER-USER -p tcp --dport 8803 -j DROP
This means:

Allow traffic from 10.5.1.2 (your admin machine) to port 8803.

Drop all other traffic to port 8803.

  1. Check PREROUTING Rules
    You’ve attempted to add rules to the PREROUTING chain, but since Docker creates its own NAT rules, you may need to adjust the way you’re managing those.

Instead of adding rules directly to the PREROUTING chain in the NAT table, consider adding them to the DOCKER-USER chain (which applies to Docker containers before other Docker-specific chains).

  1. Verify Docker’s iptables Configuration
    To ensure that the iptables rules are applied correctly, you can check the existing Docker iptables rules with:

bash
Copy
sudo iptables -t filter -L
sudo iptables -t nat -L
This will show you how Docker’s iptables rules are set up and whether your custom DOCKER-USER rules are properly applied.

You may also want to ensure the Docker service doesn’t override or reset iptables rules on restart by setting --iptables=false in the Docker configuration (this would require you to handle iptables rules entirely manually).

  1. Use OpenMediaVault’s Firewall for Host IP Filtering
    You can also use the firewall rules in OpenMediaVault (OMV) to limit access to Docker services based on the host’s network interfaces. OpenMediaVault’s firewall typically controls traffic on eth0 or br0 (if you’re using a bridged network).

Create a Custom Firewall Rule in OMV:

Allow traffic to port 8803 only from 10.5.1.2 (your admin PC).

Drop all other traffic to port 8803.

You can specify these rules in the OMV firewall configuration interface under Firewall > Rules.

Allow Rule: Allow TCP on port 8803 from 10.5.1.2.

Deny Rule: Deny all TCP traffic to port 8803.

If you’re using Docker’s bridge network mode, ensure the container is accessible via the correct IP and that the firewall on OMV is set to filter the bridge’s traffic. Docker bridges can complicate routing and may require direct manipulation of iptables to block certain types of traffic.

Best Regard,
Kely
EZPassMA

3

Actually i recognise this reply literally from ChatGPT. Been there done that. Just to be thorough i went through your reply again…but the outcome is the same. It’s not working!

After some more digging i also tried setting up the firewall rules with the following parameters but also no change:
iptables -I DOCKER-USER -i enp1s0 -p tcp --dport 8800:8899 -m conntrack --ctorigdst 10.5.1.240 --ctdir ORIGINAL -s 10.5.1.2 -j ACCEPT
iptables -A DOCKER-USER -i enp1s0 -p tcp --dport 8800:8899 -m conntrack --ctorigdst 10.5.1.240 --ctdir ORIGINAL -j DROP

Anyone else have any ideas please? This should just be possible right? (even when running a bridge type network in docker).