Docker support

Post Reply
marcele
Junior Member
Posts: 214
Joined: 17 Sep 2007, 17:02

Docker support

Post by marcele »

I know that this has been bounced around in the forums for a while so I thought it should go in the suggestions area. We are seeing more and more servers with docker installed and it would be nice if CSF played nice with it out of the box. Basically all that needs to be done is detect if docker0 interface is present then add rules like the ones below. These are the rules that we normally add to csfpost.sh to get docker working correctly. Any comments, suggestions or improvements are welcome.

Code: Select all

# Create a new chain for docker
iptables -N DOCKER

# Masquerade outbound connections from containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

# Accept established connections to the docker containers
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow docker containers to communicate with themselves & outside world
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
Last edited by marcele on 03 Mar 2018, 15:31, edited 2 times in total.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: Docker support

Post by ForumAdmin »

I'm adding a section for Docker in beta testing to the next csf release using these rules - they won't be applied automatically, but through settings that must be enabled so as not to interfere with existing configurations.

Many thanks for posting them.
marcele
Junior Member
Posts: 214
Joined: 17 Sep 2007, 17:02

Re: Docker support

Post by marcele »

Sounds great. Looking forward to this!
Post Reply