Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewalld docker zone not working to reject request #2651

Open
xflu opened this issue Jan 26, 2022 · 3 comments
Open

firewalld docker zone not working to reject request #2651

xflu opened this issue Jan 26, 2022 · 3 comments

Comments

@xflu
Copy link

xflu commented Jan 26, 2022
edited
Loading

Hi,
I run an nginx container by docker-compose . I can visit it using http://192.168.222.230/ .

Then I add a reject rule to docker zone.

firewall-cmd --zone=docker --permanent --add-rich-rule='rule family="ipv4" source address="192.168.222.1" port protocol="tcp" port="80" reject'
firewall-cmd  --complete-reload

However, I still can visit http://192.168.222.230/ from 192.168.222.1 .

Can someone tell me what's the problem? How to make it work?

OS:CentOS Linux release 7.6.1810 (Core)
firewall-cmd version: 0.5.3
Docker version 20.10.12, build e91ed57

docker-compose.yml

version: "3.9"
services:
  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "80:80"

firewall-cmd --get-active-zones

docker
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
mock_docker
  interfaces: ens33

firewall-cmd --zone=docker --list-all

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.222.1" port port="80" protocol="tcp" reject
@SuperCuber
Copy link

I tried a different approach which didn't work either:

# firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: ens3
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: dhcpv6-client http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I would expect an incoming connection from ens3 to be blocked on ports which aren't listed in services: but for example a container listening on port 5000 does not get blocked. (a native process listening on port 5000 does get blocked successfully)

How is this supposed to be done? There's no documentation on it other than "yay docker creates its own zone now"

@xflu
Copy link
Author

xflu commented Feb 5, 2022

@SuperCuber
Finally, I realized that by iptables, according to docker ducument.

Now only some ip address can access the docker container mapped port.

However, I would still like to know how to achieve the same effect with Firewalld.

@SuperCuber SuperCuber mentioned this issue Feb 11, 2022
Open
@Ruppsn
Copy link

Ruppsn commented Mar 4, 2022

Same "Problem" here.
I do not understand how this rich rules should work. It works if i user direct rules but since they are already depricated by firewalld i dont want to use them. I coulndt find anything about it in the firewalld documenation.

Is there a best practise to handle docker/docker swarm with firewalld rich rules? I dont want to open a port for everyone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xflu @SuperCuber @Ruppsn