TechQA.

How to manage DOCKER-USER with firewalld config files?

77 views Asked by At

Ubuntu 22.04 LTS, docker in Swarm mode and I'm trying to migrate from ufw to firewalld to simplify firewall management. The idea is to generate all configuration files by Ansible: not modifying the firewall via cmd executions, but place config and reload the firewall instead.

One published container port must be be accessible by one single external IP, but containers should be able to talk to each other and the host.

This could be done by inserting several rules to the DOCKER-USER chain using iptables, and I want this configuration to be managed by Ansible on top of firewalld installed on the host.

The following /etc/firealld/direct.xml file seems to do the trick:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain ipv="ipv4" table="filter" chain="DOCKER-USER"/>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1">-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Accept reply packets'</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1">-j ACCEPT -s X.X.X.X -p tcp -m conntrack --ctorigdstport 2525 --ctdir ORIGINAL -m comment --comment 'allow X.X.X.X to connect to tcp:2525 on containers'</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="10">-j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'</rule>
</direct>

# iptables -F DOCKER-USER
# iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination
# firewall-cmd --reload
success
# iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* Accept reply packets */
ACCEPT     tcp  --  X.X.X.X              anywhere             ctorigdstport 2525 ctdir ORIGINAL /* allow X.X.X.X to connect to tcp:2525 on containers */
REJECT     all  --  anywhere             anywhere             /* reject all other traffic to DOCKER-USER */ reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
#

  1. Why the last rule (RETURN all -- anywhere anywhere) was ingested? Is it possible to suppress it?

  2. The direct.xml docs say that this approach is deprecated and policies should be used instead. How could the same be achieved using policies? Policy man doesn't have any meaningful examples, and it's unclear how to affect pre-existing iptables chain using policy.

docker ansible docker-network firewalld
Original Q&A
0

There are 0 answers

Related Questions in DOCKER

Related Questions in ANSIBLE

Related Questions in DOCKER-NETWORK

Related Questions in FIREWALLD

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions