Docker and Firewalld
Overview
To secure Docker exposed ports from external access, so access is only allowed for named IP addresses, you can use firewalld rules.
I needed to play around a bit, as all the information I found so far is either not working, or just exposes ports to the public, which I wanted to avoid.
I needed to play around a bit, as all the information I found so far is either not working, or just exposes ports to the public, which I wanted to avoid.
Tested on CentOS7 with Docker-CE 18.09.6
- Docker maintains IPTABLES chain "DOCKER-USER".
- If you restart firewalld when docker is running, firewalld is removing the DOCKER-USER chain, so no Docker access is possible after this.
- Docker adds a default rule to the DOCKER-USER chain which allows all IPs to access (possibly unsecure).
We can achive secured Docker ports maintained by firewalld by letting firewalld create the DOCKER-USER chain, then apply iptables direct rules to secure the docker ports in this chain. When Docker is then started, it adds its allow-all rule to the bottom of our chain, but as we add a reject-all rule before, this rule is not in effect.
Configure firewalld
Example:
We expose Docker Ports 80 (HTTP) and 443 (HTTPS) of an NGINX docker container and want to allow access to this ports only by named IP addresses or subnets.
This must lead to a /etc/firewalld/direct.xml file like this:
Docker Port Forwardings
If you mapped Docker Container ports to another host port (e.g. 8443:443), you must state the target NAT port (so the Docker Container port), and not the NAT source port (in the example above, you must open port 443/tcp, not port 8443/tcp).
I do not fully understand why it is so, but I assume NAT happens in chain "DOCKER" before "DOCKER-USER", but thats just an assumption.
I do not fully understand why it is so, but I assume NAT happens in chain "DOCKER" before "DOCKER-USER", but thats just an assumption.
Debug log
For debug purposes, you can add logging to the DOCKER-USER chain with highest priority. Perform "firewall-cmd --reload" to deactivate this logging again.
Tip
If you want to restart, you can stop firewalld, remove /etc/firewalld/direct.xml and start firewalld again.
Ensure Docker is NOT running when you want to restart.