From 9d7d5d206b32d583b92dadb3a3d70563ae08ea58 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Tue, 26 Feb 2019 10:19:44 -0500 Subject: [PATCH 01/14] Update iptables.md Extra information: $ docker run -d -p 7777:6379 --name data1 redis $ docker run -d -p 8888:6379 --name data2 redis $ sudo iptables -N DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER-redis1 -s 192.168.56.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis1 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -N DOCKER-USER-redis2 $ sudo iptables -A DOCKER-USER-redis2 -s 10.0.24.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis2 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 7777 -j DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 8888 -j DOCKER-USER-redis2 "I think an example like this belongs in the docs as it probably covers what 99% of users are looking for: the ability to expose ports using `-p` but still be able to control traffic to them using common filters like `-s`." Note that --ctorigdstport matches the original destination port of the first packet of the connection, not the packet being filtered. So the dropping rule will also drop responses to the outgoing connections from Docker to the world on 5000-9999! Add --ctdir ORIGINAL to the DROP rule to match only incoming packets. See github.com/moby/moby/issues/22054#issuecomment-466663033 You can also specify which chains docker should use. For example, in the filter table, specify another chain instead of `FORWARD`. This allows you to use traditional tools to manage the firewall and decide when to pass control to docker. Information pulled from: https://github.com/moby/moby/issues/33567 https://unrouted.io/2017/08/15/docker-firewall/ https://github.com/docker/libnetwork/pull/1675 --- network/iptables.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/network/iptables.md b/network/iptables.md index ee8aafb5c74..78abea80eaa 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -15,6 +15,51 @@ manipulate this table manually. If you need to add rules which load before Docker's rules, add them to the `DOCKER-USER` chain. These rules are loaded before any rules Docker creates automatically. +### Add a DOCKER-USER filter chain to allow persistent rules +This can be useful if you need to pre-populate `iptables` rules that need to be in place before Docker runs. The following example creates a new chain named `FILTERS` in which network traffic from `INPUT` AND `DOCKER-USER` is put. + +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:FILTERS - [0:0] +:DOCKER-USER - [0:0] + +-F INPUT +-F DOCKER-USER +-F FILTERS + +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp --icmp-type any -j ACCEPT +-A INPUT -j FILTERS + +-A DOCKER-USER -i ens33 -j FILTERS + +-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT +-A FILTERS -m state --state NEW -s 1.2.3.4/32 -j ACCEPT +-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT +-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT +-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A FILTERS -j REJECT --reject-with icmp-host-prohibited + +COMMIT +Load this into the kernel with: +``` +iptables-restore -n /etc/iptables.conf +``` + +Use the previous FILTERS chain setup with the following configuration to allow `icmp` to the docker host and allow host port 22 access and container port 5222 access: + +``` +-A FILTERS -p icmp --icmp-type any -s client_a/32 -j ACCEPT +-A FILTERS -p icmp --icmp-type any -j DROP +-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --dport 22 -j ACCEPT +-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --ctorigdstport 5222 -j ACCEPT +-A FILTERS -j DROP +``` + ### Restrict connections to the Docker daemon By default, all external source IPs are allowed to connect to the Docker daemon. From 30038a07c75c2dd8eff724df7c47a18d5c41b188 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Fri, 1 Mar 2019 09:12:58 -0500 Subject: [PATCH 02/14] Added --ctdir info --- network/iptables.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/network/iptables.md b/network/iptables.md index 78abea80eaa..141d5c0563d 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -60,6 +60,14 @@ Use the previous FILTERS chain setup with the following configuration to allow ` -A FILTERS -j DROP ``` +**Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, not the destination port on the packet being filtered. Therefore, responses to requests from Docker to other servers have `SPT=80` and match `--ctorigdstport 80`. + +For tighter control, all rules allowing the connection should have `--ctdir` added to specifically express their meaning, as shown in the following example: + +``` +-A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT +``` + ### Restrict connections to the Docker daemon By default, all external source IPs are allowed to connect to the Docker daemon. From e9e89a6847e9093128e6b6d7eee36c3fc87d7702 Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Mon, 11 Mar 2019 17:41:33 -0700 Subject: [PATCH 03/14] Fixed syntax --- network/iptables.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 141d5c0563d..00a0e894004 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -17,7 +17,7 @@ before any rules Docker creates automatically. ### Add a DOCKER-USER filter chain to allow persistent rules This can be useful if you need to pre-populate `iptables` rules that need to be in place before Docker runs. The following example creates a new chain named `FILTERS` in which network traffic from `INPUT` AND `DOCKER-USER` is put. - +``` *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] @@ -44,6 +44,8 @@ This can be useful if you need to pre-populate `iptables` rules that need to be -A FILTERS -j REJECT --reject-with icmp-host-prohibited COMMIT +``` + Load this into the kernel with: ``` iptables-restore -n /etc/iptables.conf From ad821c25f7b32cee4fd8365a9d8dbd0209e38987 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Fri, 7 Jun 2019 16:22:42 -0400 Subject: [PATCH 04/14] Added another example --- network/iptables.md | 174 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 150 insertions(+), 24 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index 00a0e894004..a821843cb31 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -16,42 +16,46 @@ Docker's rules, add them to the `DOCKER-USER` chain. These rules are loaded before any rules Docker creates automatically. ### Add a DOCKER-USER filter chain to allow persistent rules -This can be useful if you need to pre-populate `iptables` rules that need to be in place before Docker runs. The following example creates a new chain named `FILTERS` in which network traffic from `INPUT` AND `DOCKER-USER` is put. +This can be useful if you need to pre-populate `iptables` rules that need to be in place before +Docker runs. The following example creates a new chain named `FILTERS` in which network traffic +from `INPUT` AND `DOCKER-USER` is put. + ``` *filter -:INPUT ACCEPT [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] -:FILTERS - [0:0] + +# Reset counters :DOCKER-USER - [0:0] --F INPUT +# Flush -F DOCKER-USER --F FILTERS --A INPUT -i lo -j ACCEPT --A INPUT -p icmp --icmp-type any -j ACCEPT --A INPUT -j FILTERS +# Filters : +## Activate established connexions +-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN --A DOCKER-USER -i ens33 -j FILTERS +## Allow all on https/http +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN --A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT --A FILTERS -m state --state NEW -s 1.2.3.4/32 -j ACCEPT --A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT --A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT --A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT --A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT --A FILTERS -j REJECT --reject-with icmp-host-prohibited +## Allow 8080 from ip +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN + +# Block all external +-A DOCKER-USER -i eth0 -j DROP +-A DOCKER-USER -j RETURN COMMIT ``` Load this into the kernel with: -``` -iptables-restore -n /etc/iptables.conf + +```bash +$ iptables-restore -n /etc/iptables.conf ``` -Use the previous FILTERS chain setup with the following configuration to allow `icmp` to the docker host and allow host port 22 access and container port 5222 access: +Use the previous `FILTERS` chain setup with the following configuration to allow `icmp` to the docker +host and allow host port `22` access and container port `5222` access: ``` -A FILTERS -p icmp --icmp-type any -s client_a/32 -j ACCEPT @@ -62,9 +66,12 @@ Use the previous FILTERS chain setup with the following configuration to allow ` -A FILTERS -j DROP ``` -**Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, not the destination port on the packet being filtered. Therefore, responses to requests from Docker to other servers have `SPT=80` and match `--ctorigdstport 80`. +> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, +not the destination port on the packet being filtered. Therefore, responses to requests from Docker +to other servers have `SPT=80`, and match `--ctorigdstport 80`. -For tighter control, all rules allowing the connection should have `--ctdir` added to specifically express their meaning, as shown in the following example: +For tighter control, all rules allowing the connection should have `--ctdir` added to specifically +express their meaning, as shown in the following example: ``` -A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT @@ -104,6 +111,124 @@ the source and destination. For instance, if the Docker daemon listens on both topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html) for a lot more information. +### Name of example??? +The following example provides a set of filters, and uses those filters for container and host traffic: + +``` +# Filters +## Activate established connexions +-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT + +## Monitoring +-A FILTERS -s 10.1.1.1/32 -p udp -m udp --dport 161 -j ACCEPT +-A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT +-A FILTERS -s 10.1.1.1/32 -p icmp --icmp-type any -j ACCEPT + +## Admin ssh +-A FILTERS -s 10.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT +-A FILTERS -s 10.0.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT + +## Admin ping +-A FILTERS -s 10.0.0.1/32 -p icmp --icmp-type any -j ACCEPT +-A FILTERS -s 10.0.1.1/32 -p icmp --icmp-type any -j ACCEPT + +## Drop public in +-A FILTERS -j DROP +``` + +#### To filter container traffic: + +``` +*filter + +# WAN = ens192 ; LAN = ens160 + +# Reset counters +:DOCKER-USER - [0:0] + +# Flush +-F DOCKER-USER + +# Filters : +## Activate established connexions +-A DOCKER-USER -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN + +## Allow all on https/http +-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN +-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN + +## Allow 8080 from ip +-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN +-A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN + +# Block all external +-A DOCKER-USER -i ens192 -j DROP +-A DOCKER-USER -j RETURN + +COMMIT +``` + +#### To filter host traffic: + +``` +*filter + +# WAN = ens192 ; LAN = ens160 + +# Reset counters +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:FILTERS - [0:0] +:FILTERS-LAN - [0:0] + +# Flush +-F INPUT +-F FILTERS +-F FILTERS-LAN + +# Select +-A INPUT -i lo -j ACCEPT +-A INPUT -i ens160 -j FILTERS-LAN +-A INPUT -i ens192 -j FILTERS + +# Filters +## Activate established connexions +-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT + +## Monitoring +-A FILTERS -s 10.1.1.1/32 -p udp -m udp --dport 161 -j ACCEPT +-A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT +-A FILTERS -s 10.1.1.1/32 -p icmp --icmp-type any -j ACCEPT + +## Admin ssh +-A FILTERS -s 10.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT +-A FILTERS -s 10.0.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT + +## Admin ping +-A FILTERS -s 10.0.0.1/32 -p icmp --icmp-type any -j ACCEPT +-A FILTERS -s 10.0.1.1/32 -p icmp --icmp-type any -j ACCEPT + +## Drop public in +-A FILTERS -j DROP + +# Filters-LAN +## Activate established connexions +-A FILTERS-LAN -m state --state ESTABLISHED,RELATED -j ACCEPT + +## Admin allow all +-A FILTERS-LAN -s 10.0.1.1/32 -j ACCEPT + +## Ping +-A FILTERS-LAN -s 10.0.1.1/24 -p icmp --icmp-type any -j ACCEPT + +## Log and Drop lan in +-A FILTERS-LAN -j LOG --log-prefix "[LAN BLOCK] " +-A FILTERS-LAN -j DROP + +## Commit +COMMIT +``` ## Prevent Docker from manipulating iptables @@ -113,4 +238,5 @@ for most users, because the `iptables` policies then need to be managed by hand. ## Next steps -- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks) +- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks] +(https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks) From 3c582abad8c92b14a7d0a5e7b0913e6aafe3708e Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Fri, 7 Jun 2019 16:59:43 -0400 Subject: [PATCH 05/14] Updates per Arko --- network/iptables.md | 46 ++++++++++++--------------------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index a821843cb31..9ea8df2df15 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -111,37 +111,15 @@ the source and destination. For instance, if the Docker daemon listens on both topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html) for a lot more information. -### Name of example??? -The following example provides a set of filters, and uses those filters for container and host traffic: - -``` -# Filters -## Activate established connexions --A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT - -## Monitoring --A FILTERS -s 10.1.1.1/32 -p udp -m udp --dport 161 -j ACCEPT --A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT --A FILTERS -s 10.1.1.1/32 -p icmp --icmp-type any -j ACCEPT - -## Admin ssh --A FILTERS -s 10.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT --A FILTERS -s 10.0.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT - -## Admin ping --A FILTERS -s 10.0.0.1/32 -p icmp --icmp-type any -j ACCEPT --A FILTERS -s 10.0.1.1/32 -p icmp --icmp-type any -j ACCEPT - -## Drop public in --A FILTERS -j DROP -``` +### Filtering container and host traffic +The following example provides a set of filters and uses those filters for container and host traffic: #### To filter container traffic: ``` *filter -# WAN = ens192 ; LAN = ens160 +# WAN = yourwan ; LAN = yourlan # Reset counters :DOCKER-USER - [0:0] @@ -151,18 +129,18 @@ The following example provides a set of filters, and uses those filters for cont # Filters : ## Activate established connexions --A DOCKER-USER -i ens192 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN +-A DOCKER-USER -i yourwan -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN ## Allow all on https/http --A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN --A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN +-A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN +-A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN ## Allow 8080 from ip --A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN --A DOCKER-USER -i ens192 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN +-A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN +-A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN # Block all external --A DOCKER-USER -i ens192 -j DROP +-A DOCKER-USER -i yourwan -j DROP -A DOCKER-USER -j RETURN COMMIT @@ -173,7 +151,7 @@ COMMIT ``` *filter -# WAN = ens192 ; LAN = ens160 +# WAN = yourwan ; LAN = yourlan # Reset counters :INPUT ACCEPT [0:0] @@ -189,8 +167,8 @@ COMMIT # Select -A INPUT -i lo -j ACCEPT --A INPUT -i ens160 -j FILTERS-LAN --A INPUT -i ens192 -j FILTERS +-A INPUT -i yourlan -j FILTERS-LAN +-A INPUT -i yourwan -j FILTERS # Filters ## Activate established connexions From cceb812040406fb646e1ae5f3bddb6d9f5a40c86 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Fri, 7 Jun 2019 17:18:41 -0400 Subject: [PATCH 06/14] Updates for WAN/LAN filters --- network/iptables.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index 9ea8df2df15..4befdd92b85 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -119,7 +119,7 @@ The following example provides a set of filters and uses those filters for conta ``` *filter -# WAN = yourwan ; LAN = yourlan +# WAN = ens0 ; LAN = eth0 # Reset counters :DOCKER-USER - [0:0] @@ -129,18 +129,18 @@ The following example provides a set of filters and uses those filters for conta # Filters : ## Activate established connexions --A DOCKER-USER -i yourwan -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN +-A DOCKER-USER -i ens0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN ## Allow all on https/http --A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN --A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN +-A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN +-A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN ## Allow 8080 from ip --A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN --A DOCKER-USER -i yourwan -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN +-A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN +-A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN # Block all external --A DOCKER-USER -i yourwan -j DROP +-A DOCKER-USER -i ens0 -j DROP -A DOCKER-USER -j RETURN COMMIT @@ -148,10 +148,12 @@ COMMIT #### To filter host traffic: +> **Note**: Set the filter for WAN based on your host WAN interface. + ``` *filter -# WAN = yourwan ; LAN = yourlan +# WAN = ens0 ; LAN = eth0 # Reset counters :INPUT ACCEPT [0:0] @@ -167,8 +169,8 @@ COMMIT # Select -A INPUT -i lo -j ACCEPT --A INPUT -i yourlan -j FILTERS-LAN --A INPUT -i yourwan -j FILTERS +-A INPUT -i eth0 -j FILTERS-LAN +-A INPUT -i ens0 -j FILTERS # Filters ## Activate established connexions From 5857fa55d4a4e8930e1d75960cdf65ccbebdf32d Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Fri, 7 Jun 2019 17:35:57 -0400 Subject: [PATCH 07/14] WAN/LAN filter updates --- network/iptables.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index 4befdd92b85..b0291f79a67 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -119,7 +119,7 @@ The following example provides a set of filters and uses those filters for conta ``` *filter -# WAN = ens0 ; LAN = eth0 +# WAN = eth0 ; LAN = eth1 # Reset counters :DOCKER-USER - [0:0] @@ -129,18 +129,18 @@ The following example provides a set of filters and uses those filters for conta # Filters : ## Activate established connexions --A DOCKER-USER -i ens0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN +-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN ## Allow all on https/http --A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN --A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN ## Allow 8080 from ip --A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN --A DOCKER-USER -i ens0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN +-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN # Block all external --A DOCKER-USER -i ens0 -j DROP +-A DOCKER-USER -i eth0 -j DROP -A DOCKER-USER -j RETURN COMMIT @@ -153,7 +153,7 @@ COMMIT ``` *filter -# WAN = ens0 ; LAN = eth0 +# WAN = eth0 ; LAN = eth1 # Reset counters :INPUT ACCEPT [0:0] @@ -169,8 +169,8 @@ COMMIT # Select -A INPUT -i lo -j ACCEPT --A INPUT -i eth0 -j FILTERS-LAN --A INPUT -i ens0 -j FILTERS +-A INPUT -i eth1 -j FILTERS-LAN +-A INPUT -i eth0 -j FILTERS # Filters ## Activate established connexions From 2667acb7314466b457e641b56be93a7b0eba3c9c Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Mon, 10 Jun 2019 16:31:25 -0400 Subject: [PATCH 08/14] Removed redundant info per Arko --- network/iptables.md | 57 --------------------------------------------- 1 file changed, 57 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index b0291f79a67..8aa7ca6208e 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -20,63 +20,6 @@ This can be useful if you need to pre-populate `iptables` rules that need to be Docker runs. The following example creates a new chain named `FILTERS` in which network traffic from `INPUT` AND `DOCKER-USER` is put. -``` -*filter - -# Reset counters -:DOCKER-USER - [0:0] - -# Flush --F DOCKER-USER - -# Filters : -## Activate established connexions --A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN - -## Allow all on https/http --A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN --A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN - -## Allow 8080 from ip --A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN --A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN - -# Block all external --A DOCKER-USER -i eth0 -j DROP --A DOCKER-USER -j RETURN - -COMMIT -``` - -Load this into the kernel with: - -```bash -$ iptables-restore -n /etc/iptables.conf -``` - -Use the previous `FILTERS` chain setup with the following configuration to allow `icmp` to the docker -host and allow host port `22` access and container port `5222` access: - -``` --A FILTERS -p icmp --icmp-type any -s client_a/32 -j ACCEPT --A FILTERS -p icmp --icmp-type any -j DROP --A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --dport 22 -j ACCEPT --A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --ctorigdstport 5222 -j ACCEPT --A FILTERS -j DROP -``` - -> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, -not the destination port on the packet being filtered. Therefore, responses to requests from Docker -to other servers have `SPT=80`, and match `--ctorigdstport 80`. - -For tighter control, all rules allowing the connection should have `--ctdir` added to specifically -express their meaning, as shown in the following example: - -``` --A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT -``` - ### Restrict connections to the Docker daemon By default, all external source IPs are allowed to connect to the Docker daemon. From a110170aae84059a69495044b4c7136eaad7cab4 Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Fri, 13 Sep 2019 08:58:34 -0700 Subject: [PATCH 09/14] Update network/iptables.md Co-Authored-By: Arko Dasgupta --- network/iptables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 8aa7ca6208e..82b3196fe88 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -17,7 +17,7 @@ before any rules Docker creates automatically. ### Add a DOCKER-USER filter chain to allow persistent rules This can be useful if you need to pre-populate `iptables` rules that need to be in place before -Docker runs. The following example creates a new chain named `FILTERS` in which network traffic +Docker runs. The following example illustrates how rules can be added to the DOCKER-USER chain from `INPUT` AND `DOCKER-USER` is put. ### Restrict connections to the Docker daemon From 477dcfbe325f8b5ef686fb9a4c3f33d360340d32 Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 17 Sep 2019 09:39:40 -0700 Subject: [PATCH 10/14] Update network/iptables.md Co-Authored-By: Arko Dasgupta --- network/iptables.md | 1 - 1 file changed, 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 82b3196fe88..61f4ff569b3 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -18,7 +18,6 @@ before any rules Docker creates automatically. ### Add a DOCKER-USER filter chain to allow persistent rules This can be useful if you need to pre-populate `iptables` rules that need to be in place before Docker runs. The following example illustrates how rules can be added to the DOCKER-USER chain -from `INPUT` AND `DOCKER-USER` is put. ### Restrict connections to the Docker daemon From 4a3919f8b5ebebad404fe61be8bc6ae3cfb08721 Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 17 Sep 2019 09:39:51 -0700 Subject: [PATCH 11/14] Update network/iptables.md Co-Authored-By: Arko Dasgupta --- network/iptables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 61f4ff569b3..1151acbe8e2 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -53,7 +53,7 @@ the source and destination. For instance, if the Docker daemon listens on both topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html) for a lot more information. -### Filtering container and host traffic +### Filtering container traffic The following example provides a set of filters and uses those filters for container and host traffic: #### To filter container traffic: From b18c7a25905195d5fec7991c1cb161a85d28dc1a Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 17 Sep 2019 09:40:00 -0700 Subject: [PATCH 12/14] Update network/iptables.md Co-Authored-By: Arko Dasgupta --- network/iptables.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 1151acbe8e2..0b92d7b43bf 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -87,7 +87,16 @@ The following example provides a set of filters and uses those filters for conta COMMIT ``` - +> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, + not the destination port on the packet being filtered. Therefore, responses to requests from Docker + to other servers have `SPT=80`, and match `--ctorigdstport 80`. + + For tighter control, all rules allowing the connection should have `--ctdir` added to specifically + express their meaning, as shown in the following example: + + ``` + -A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT + ``` #### To filter host traffic: > **Note**: Set the filter for WAN based on your host WAN interface. From 299edec3499e6832c1bc7070e8b3f1f29fe8fa9d Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 17 Sep 2019 09:40:21 -0700 Subject: [PATCH 13/14] Update network/iptables.md Co-Authored-By: Arko Dasgupta --- network/iptables.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/network/iptables.md b/network/iptables.md index 0b92d7b43bf..a7b023fe0fd 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -159,7 +159,11 @@ COMMIT ## Commit COMMIT -``` +Load this into the kernel with: + + ```bash + $ iptables-restore -n /etc/iptables.conf + ``` ## Prevent Docker from manipulating iptables From 3ef6e5a9e58260e9333fa7c046cdecbc885ae9cc Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 17 Sep 2019 13:15:23 -0700 Subject: [PATCH 14/14] Update iptables.md --- network/iptables.md | 73 ++------------------------------------------- 1 file changed, 3 insertions(+), 70 deletions(-) diff --git a/network/iptables.md b/network/iptables.md index a7b023fe0fd..a354a423315 100644 --- a/network/iptables.md +++ b/network/iptables.md @@ -17,13 +17,13 @@ before any rules Docker creates automatically. ### Add a DOCKER-USER filter chain to allow persistent rules This can be useful if you need to pre-populate `iptables` rules that need to be in place before -Docker runs. The following example illustrates how rules can be added to the DOCKER-USER chain +Docker runs. The following example illustrates how rules can be added to the `DOCKER-USER` chain ### Restrict connections to the Docker daemon By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a -negated rule at the top of the DOCKER filter chain. For example, the following +negated rule at the top of the `DOCKER-USER` filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1: ```bash @@ -56,11 +56,7 @@ for a lot more information. ### Filtering container traffic The following example provides a set of filters and uses those filters for container and host traffic: -#### To filter container traffic: - ``` -*filter - # WAN = eth0 ; LAN = eth1 # Reset counters @@ -94,72 +90,9 @@ COMMIT For tighter control, all rules allowing the connection should have `--ctdir` added to specifically express their meaning, as shown in the following example: - ``` -A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT - ``` -#### To filter host traffic: - -> **Note**: Set the filter for WAN based on your host WAN interface. - -``` -*filter - -# WAN = eth0 ; LAN = eth1 - -# Reset counters -:INPUT ACCEPT [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] -:FILTERS - [0:0] -:FILTERS-LAN - [0:0] - -# Flush --F INPUT --F FILTERS --F FILTERS-LAN -# Select --A INPUT -i lo -j ACCEPT --A INPUT -i eth1 -j FILTERS-LAN --A INPUT -i eth0 -j FILTERS - -# Filters -## Activate established connexions --A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT - -## Monitoring --A FILTERS -s 10.1.1.1/32 -p udp -m udp --dport 161 -j ACCEPT --A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 5666 -j ACCEPT --A FILTERS -s 10.1.1.1/32 -p icmp --icmp-type any -j ACCEPT - -## Admin ssh --A FILTERS -s 10.0.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT --A FILTERS -s 10.0.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT - -## Admin ping --A FILTERS -s 10.0.0.1/32 -p icmp --icmp-type any -j ACCEPT --A FILTERS -s 10.0.1.1/32 -p icmp --icmp-type any -j ACCEPT - -## Drop public in --A FILTERS -j DROP - -# Filters-LAN -## Activate established connexions --A FILTERS-LAN -m state --state ESTABLISHED,RELATED -j ACCEPT - -## Admin allow all --A FILTERS-LAN -s 10.0.1.1/32 -j ACCEPT - -## Ping --A FILTERS-LAN -s 10.0.1.1/24 -p icmp --icmp-type any -j ACCEPT - -## Log and Drop lan in --A FILTERS-LAN -j LOG --log-prefix "[LAN BLOCK] " --A FILTERS-LAN -j DROP - -## Commit -COMMIT -Load this into the kernel with: +Load these rules with: ```bash $ iptables-restore -n /etc/iptables.conf