Page 1 of 1

Docker support

Posted: 24 Feb 2018, 11:58
by marcele
I know that this has been bounced around in the forums for a while so I thought it should go in the suggestions area. We are seeing more and more servers with docker installed and it would be nice if CSF played nice with it out of the box. Basically all that needs to be done is detect if docker0 interface is present then add rules like the ones below. These are the rules that we normally add to csfpost.sh to get docker working correctly. Any comments, suggestions or improvements are welcome.
Code: Select all
# Create a new chain for docker
iptables -N DOCKER

# Masquerade outbound connections from containers
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

# Accept established connections to the docker containers
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow docker containers to communicate with themselves & outside world
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

Re: Docker support

Posted: 28 Feb 2018, 10:20
by ForumAdmin
I'm adding a section for Docker in beta testing to the next csf release using these rules - they won't be applied automatically, but through settings that must be enabled so as not to interfere with existing configurations.

Many thanks for posting them.

Re: Docker support

Posted: 03 Mar 2018, 15:30
by marcele
Sounds great. Looking forward to this!