10

I realized that recently docker add integration with firewalld and I just want to setup my server using firewalld instead of iptables boring rules and chains.

This is my docker zone output:


root@test:~# sudo firewall-cmd --zone=docker --list-all 
docker (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: br-0a659f93a5b6 br-be2e44b2b069 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I had run multiple services including Laravel(nginx port binding 80 -> 5050), mysql, etc. with above config. I expect that anyone cannot access to port 5050, 3306(mysql) but unfortunately firewall has no effect and everything is open and accessible from outside.

and this is docker modules docker modules

Now How really configure firewalld to drop every request excepts allowed ports?

2
  • Did you find any solutions?
    – Zanna_37
    Commented Nov 29, 2021 at 1:31
  • 1
    @Zanna_37 No I couldn't find any solution for this and I use ufw-docker for this purpose.
    – Masoud Tavakkoli
    Commented Nov 30, 2021 at 6:34

1 Answer 1

Reset to default
2

In summary, the solution is:

  1. Disable iptables in docker
  2. Add masquerade to public zone
  3. Add docker network interface to trusted zone
  4. Add ethernet interface to public zone

Note that this has security implications.

I wrote an article about it here: https://dev.to/soerenmetje/how-to-secure-a-docker-host-using-firewalld-2joo

1
  • Thank you for writing that blog post! I have been trying to learn enough about netfilter to get firewalld doing DNAT so things work as expected, to avoid the gateway/NAT issue you mention in the post.
    – trysten
    Commented Jan 4 at 10:59

Not the answer you're looking for? Browse other questions tagged or ask your own question.