Tuesday, April 2, 2019

How to use firewalld to filter traffic to docker

Note: My platform is on Docker CE 18.09 on Centos 7. YMMV I only recently started using docker, but there is one very important thing you need to know:
By default, all external source IPs are allowed to connect to the Docker daemon

Filtering by IP is actually easy once you know how, but I had a hell of a time finding the key information and for me that was three-fold:
1. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it, therefore:
2. You must stop the docker service before configuring the DOCKER-USER iptables chain
3. You must add the DOCKER-USER chain (and rules) before the docker service starts

partial reference: https://github.com/moby/moby/issues/35043

i.e.:

service docker stop
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -i ens224 -s 1.2.3.4 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 2 -i ens224 -s 5.6.7.8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 3 -i ens224 -j DROP
service firewalld reload
service docker start
Posted by Teridon at 1:05 PM 0 comments
Subscribe to: Posts (Atom)