Posted: 24 Feb 2018, 11:58
I know that this has been bounced around in the forums for a while so I thought it should go in the suggestions area. We are seeing more and more servers with docker installed and it would be nice if CSF played nice with it out of the box. Basically all that needs to be done is detect if docker0 interface is present then add rules like the ones below. These are the rules that we normally add to csfpost.sh to get docker working correctly. Any comments, suggestions or improvements are welcome.
Code: Select all
# Create a new chain for docker iptables -N DOCKER # Masquerade outbound connections from containers iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE # Accept established connections to the docker containers iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow docker containers to communicate with themselves & outside world iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT