Guide for static iptables rules for DOCKER-USER on CentOS 7?

[aki-k]

File: network/iptables.md

Could you update this document with information how to setup static iptables rules for DOCKER-USER on CentOS 7?

Currently I only see how to manually add rules to DOCKER-USER.

[aki-k]

This could be the solution for the static iptables configuration. Currently you don't provide this kind of documentation and users are left to invent their own solutions.

https://unrouted.io/2017/08/15/docker-firewall/

(Creates a new chain called FILTERS to which network traffic from INPUT AND DOCKER-USER is put into.)

[aki-k]

Here's what I use with this setup in FILTERS chain to allow icmp to the docker host and allow host's port 22 access and container's port 5222 access:

-A FILTERS -p icmp --icmp-type any -s client_a/32 -j ACCEPT
-A FILTERS -p icmp --icmp-type any -j DROP
-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --dport 22 -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --ctorigdstport 5222 -j ACCEPT
-A FILTERS -j DROP

The option --ctorigdstport was completely new to me. Found it from https://stackoverflow.com/questions/53541274/docker-chain-in-iptables-overrides-input-rules

[boTux]

You can try with systemd-service-iptables to load your docker-user rules; example docker-user rules.

We're using iptable-save and restore to load rules, check out the DOCKER-USER rules :

*filter

# WAN = ens192 ; LAN = ens160

# Reset counters
:DOCKER-USER - [0:0]

# Flush
-F DOCKER-USER

# Filters :
## Activate established connexions
-A DOCKER-USER -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN

## Allow all on https/http
-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN
-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN

## Allow 8080 from ip
-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN
-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN

# Block all external
-A DOCKER-USER -i ens192 -j DROP
-A DOCKER-USER -j RETURN

COMMIT

[docker-robott]

There hasn't been any activity on this issue for a long time.
If the problem is still relevant, add a comment on this issue.
If not, this issue will be closed in 14 days.

Mark the issue as fresh with a /remove-lifecycle stale comment.
Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

[docker-robott]

/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked