I have setup a pi-hole docker container and exposed the dns ports and port 80 on CentOS7. However the ports are available for all sources now which is not very handy since its running on a VPS.
So I am trying to have firewallD filter the traffic going to my docker container.
So my docker container is running as followed:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
18881454da0c pihole/pihole:latest "/s6-init" 24 hours ago Up About an hour (healthy) 0.0.0.0:53->53/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:53->53/udp pihole
on firewallD I have setup the following acl(traffic going to CentOS is filtered fine by this):
sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="<home ip>/32" accept
And I have set the docker0 interface to zone public:
sudo firewall-cmd --permanent --zone=public --change-interface=docker0
sudo firewall-cmd --get-active-zones
public
interfaces: docker0
But when I do a portscan from internet I still see all docker-exposed ports.
I can solve this using iptables commands:
sudo iptables -N CUSTOM_PIHOLE
sudo iptables -A CUSTOM_PIHOLE --source <home ip> --destination 172.17.0.2 -j ACCEPT
sudo iptables -R DOCKER 1 --source 0.0.0.0/0 --destination 172.17.0.2 -j CUSTOM_PIHOLE
sudo iptables -D DOCKER 3
sudo iptables -D DOCKER 2
But then when firewallD reloads this config is lost.
Is there a way to filter traffic to the docker-container using firewallD?
You can expose a port through your Dockerfile or use --expose and then publish it with the -P flag. This will bind the exposed port to your Docker host on a random port (verified by running docker container ls ). You can expose a port through your Dockerfile or use --expose and then publish it with the -p 80:80 flag.
Integration with Firewalld If you are running Docker version 20.10. 0 or higher with firewalld on your system with --iptables enabled, Docker automatically creates a firewalld zone called docker and inserts all the network interfaces it creates (for example, docker0 ) into the docker zone to allow seamless networking.
Docker Network bypasses Firewall, no option to disable Check the firewall; docker will by use "anywhere" as the source, thereby all containers are exposed to the public.
What Is Docker Expose Port? This tells Docker your webserver will listen on port 80 for TCP connections since TCP is the default. For UDP, specify the protocol after the port. For more than one port, you can list EXPOSE more than once.
Found the answer. see the following links:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With