Comments (3)
next, I investigate iptables state before and after restarting docker
here is my diff:
docker-server1:~$ diff iptables_good.txt iptables_bad.txt
1c1
< # Generated by iptables-save v1.8.4 on Tue Mar 15 10:37:39 2022
---
> # Generated by iptables-save v1.8.4 on Tue Mar 15 10:40:09 2022
13a14,21
> -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
> -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
> -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
> -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
> -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
> -A DOCKER -i docker0 -j RETURN
> -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
> -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.3:80
35d42
< :DOCKER-ISOLATION - [0:0]
37a45
> :DOCKER-USER - [0:0]
66a75,80
> -A FORWARD -j DOCKER-USER
> -A FORWARD -j DOCKER-ISOLATION-STAGE-1
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -o docker0 -j DOCKER
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> -A FORWARD -i docker0 -o docker0 -j ACCEPT
93a108,114
> -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
> -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
> -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
> -A DOCKER-ISOLATION-STAGE-1 -j RETURN
> -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
> -A DOCKER-ISOLATION-STAGE-2 -j RETURN
> -A DOCKER-USER -j RETURN
193c214
< # Completed on Tue Mar 15 10:37:39 2022
---
> # Completed on Tue Mar 15 10:40:09 2022
from firehol.
but after using firehol_level1234
lists docker containers cant access internet. classic =)
Mar 17 19:17:13 ... kernel: [ 8940.176935] BLACKLIST-OUT:IN=br-03779e66492b OUT=eth0 PHYSIN=veth5b34bd0 MAC=02:42:a4:9f:1a:27:02:42:ac:14:00:02:08:00 SRC=172.20.0.2 DST=EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45410 DF PROTO=TCP SPT=58878 DPT=27019 WINDOW=64240 RES=0x00 SYN URGP=0
Mar 17 19:17:14 ... kernel: [ 8941.198548] BLACKLIST-OUT:IN=br-03779e66492b OUT=eth0 PHYSIN=veth5b34bd0 MAC=02:42:a4:9f:1a:27:02:42:ac:14:00:02:08:00 SRC=172.20.0.2 DST=EXTERNAL_IP LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45411 DF PROTO=TCP SPT=58878 DPT=27019 WINDOW=64240 RES=0x00 SYN URGP=0
my config:
{% for docker_bridge_name in ansible_interfaces if docker_bridge_name.startswith('br-') %}
ipv4 blacklist full inface not {{docker_bridge_name}} src ipset:{{ ipset_name }}_{{ ipset_type }}
{% endfor %}
...
{% for docker_bridge_name in ansible_interfaces if docker_bridge_name.startswith('br-') %}
ipv4 interface {{docker_bridge_name}} docker_{{docker_bridge_name}}
policy accept
{% endfor %}
...
{% for docker_bridge_name in ansible_interfaces if docker_bridge_name.startswith('br-') %}
router {{docker_bridge_name}}_to_{{ ansible_default_ipv4.interface }} inface {{docker_bridge_name}} outface {{ ansible_default_ipv4.interface }}
policy accept
{% endfor %}
which means I allow almost anything, but still no results. who can help?
I dont want to allow 172.20.0.0/16
manually, because docker bridges can change
from firehol.
after a few days of crazy sex with FireHOL and Docker I came to the conclusion that FireHOL and Docker are totally incompatible. FireHOL is a great product, as long as you don't have Doัker. I switched to another solution that takes into consideration Docker's monopoly use of iptables rules
from firehol.
Related Issues (20)
- Is there any FireHOL "certification" for any OS? HOT 1
- Allow generation of stateless rules on firewall generated with optimal ruleset
- hashlimit only for NEW connections HOT 1
- How to easily convert iptables-based rsyslog/logrotate configs to nflog/ulogd2? HOT 2
- Firehol try reset connections HOT 2
- Spotify.com blocked
- Legit Google IPs Being Blocked By FireHol Abusers d1 HOT 5
- Is firehol EOL or just stable? HOT 4
- docker-compose: multiple bridge networks HOT 1
- Cannot download at max rate.
- please whitelist FEDERATEDIDENTITY.COM 2fa
- How to add vrrp rule
- dshield, dshield_top_1000: converted file is empty, etc HOT 3
- Firehol adds rules to outgoing HOT 1
- feodo list: wrong URL
- zeus_badips and ransomware_rw are no longer available
- improve script binary location - (update-ipsets no longer update ipsets)
- switching up not & src in interface config generates unexpected rules
- FIREHOL_LOG_PREFIX not applied to all log messages
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firehol.