libnetwork icon indicating copy to clipboard operation
libnetwork copied to clipboard

Published 20 hours ago verified publisher icon moby

firewalld docker zone not working to reject request

Open xflu opened this issue 3 years ago • 3 comments

Hi, I run an nginx container by docker-compose . I can visit it using http://192.168.222.230/ .

Then I add a reject rule to docker zone.

firewall-cmd --zone=docker --permanent --add-rich-rule='rule family="ipv4" source address="192.168.222.1" port protocol="tcp" port="80" reject'
firewall-cmd  --complete-reload

However, I still can visit http://192.168.222.230/ from 192.168.222.1 .

Can someone tell me what's the problem? How to make it work?

OS:CentOS Linux release 7.6.1810 (Core) firewall-cmd version: 0.5.3 Docker version 20.10.12, build e91ed57

docker-compose.yml

version: "3.9"
services:
  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "80:80"

firewall-cmd --get-active-zones

docker
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
mock_docker
  interfaces: ens33

firewall-cmd --zone=docker --list-all

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.222.1" port port="80" protocol="tcp" reject

xflu avatar Jan 26 '22 08:01 xflu

I tried a different approach which didn't work either:

# firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: ens3
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: dhcpv6-client http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I would expect an incoming connection from ens3 to be blocked on ports which aren't listed in services: but for example a container listening on port 5000 does not get blocked. (a native process listening on port 5000 does get blocked successfully)

How is this supposed to be done? There's no documentation on it other than "yay docker creates its own zone now"

SuperCuber avatar Jan 31 '22 14:01 SuperCuber

@SuperCuber Finally, I realized that by iptables, according to docker ducument.

Now only some ip address can access the docker container mapped port.

However, I would still like to know how to achieve the same effect with Firewalld.

xflu avatar Feb 05 '22 06:02 xflu

Same "Problem" here. I do not understand how this rich rules should work. It works if i user direct rules but since they are already depricated by firewalld i dont want to use them. I coulndt find anything about it in the firewalld documenation.

Is there a best practise to handle docker/docker swarm with firewalld rich rules? I dont want to open a port for everyone.

Ruppsn avatar Mar 04 '22 12:03 Ruppsn