How to setup FirewallD to filter traffic to docker exposed port

Question

I have setup a pi-hole docker container and exposed the dns ports and port 80 on CentOS7. However the ports are available for all sources now which is not very handy since its running on a VPS.

So I am trying to have firewallD filter the traffic going to my docker container.

So my docker container is running as followed:

docker ps
CONTAINER ID        IMAGE                  COMMAND             CREATED             STATUS                       PORTS                                                        NAMES
18881454da0c        pihole/pihole:latest   "/s6-init"          24 hours ago        Up About an hour (healthy)   0.0.0.0:53->53/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:53->53/udp   pihole

on firewallD I have setup the following acl(traffic going to CentOS is filtered fine by this):

sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: docker0
  sources:
  services: 
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="<home ip>/32" accept

And I have set the docker0 interface to zone public:

sudo firewall-cmd --permanent --zone=public --change-interface=docker0
sudo firewall-cmd --get-active-zones
public
  interfaces: docker0

But when I do a portscan from internet I still see all docker-exposed ports.

I can solve this using iptables commands:

sudo iptables -N CUSTOM_PIHOLE
sudo iptables -A CUSTOM_PIHOLE --source <home ip> --destination 172.17.0.2 -j ACCEPT
sudo iptables -R DOCKER 1 --source 0.0.0.0/0 --destination 172.17.0.2 -j CUSTOM_PIHOLE 
sudo iptables -D DOCKER 3
sudo iptables -D DOCKER 2

But then when firewallD reloads this config is lost.

Is there a way to filter traffic to the docker-container using firewallD?

Answer 1

Found the answer. see the following links:

• https://github.com/moby/moby/issues/35043#issuecomment-356036671
• https://docs.docker.com/network/iptables/