csf-post-docker icon indicating copy to clipboard operation
csf-post-docker copied to clipboard

Published 20 hours ago verified publisher icon juli3nk

How to block non-local traffic?

Open panomitrius opened this issue 3 years ago • 4 comments

I realized this script exposes all docker containers to traffic from everywhere. How can I modify it to only allow local traffic while not opening up to global access?

panomitrius avatar Feb 04 '22 20:02 panomitrius

We are also struggling with this. Our intention is to maintain CSF "in front of docker so only opened ports in CSF are open to external IPs not in allowed lists or dynamic.

So far we've managed to do it by adding accept rules to the output of all of the docker interfaces.

@juli3nk scripts is actually very efficient but treats NAT the same way as CSF, this is NAT is non-firewalled. And creates all opened ports in docker as DNAT rule.

It would be great to see an alternative option.

luison avatar Apr 27 '22 13:04 luison

need this too... does somebody knows how to do this?

barart avatar Nov 26 '22 04:11 barart

I've hacked together a small solution for this problem; unfortunately it involves editing the original script. See https://github.com/emielmolenaar/csf-post-docker/commit/1d34117baf98a1ada6921f0609dbc911e0246700 .

I'm by no means an iptables / csf expert so please let me know if this isn't the way to go!

emielmolenaar avatar Jun 27 '23 14:06 emielmolenaar