shieldwall icon indicating copy to clipboard operation
shieldwall copied to clipboard

Published 20 hours ago verified publisher icon evilsocket

Shieldwall does not handle FORWARD chain

Open BlackOfWorld opened this issue 2 years ago • 1 comments

Hey and thanks for creating awesome project!

I'm having some difficulty shieldwalling my docker containers, I noticed that Shieldwall doesn't add an entry to FORWARD, so it doesn't get captured. Is this a bug?

# iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
SHIELDWALL  all  --  0.0.0.0/0            0.0.0.0/0
LOGNDROP   all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:81

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
DROP       tcp  -- !127.0.0.1            0.0.0.0/0            tcp dpt:81
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain LOGNDROP (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 10/min burst 5 LOG flags 0 level 4 prefix "shieldwall-dropped: "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain SHIELDWALL (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  173.245.48.0/20      0.0.0.0/0            tcp dpt:443
[TRUNCATED - Cloudflare]
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
ACCEPT     udp  --  127.0.0.1            0.0.0.0/0            udp dpts:1:65535

Thanks!

BlackOfWorld avatar Aug 11 '22 15:08 BlackOfWorld

My solution to this:

iptables -A DOCKER-USER -i eth0 -j SHIELDWALL
iptables -A DOCKER-USER -i eth0 -j LOGNDROP

BlackOfWorld avatar Aug 11 '22 18:08 BlackOfWorld