Does anyone know if CSF might be running some sort of script that could do this?The problem is most likely caused by your custom firewall which runs a script periodically and breaks the firewall. Please check if that's the case.
Could CSF be causing problems with Docker?
Could CSF be causing problems with Docker?
I'm having problems with a Docker container on my server which loses connection to the internet intermittently (it seems to be ok for a day to a few days, then loses connection to the internet). I've posted an issue with Docker, and they think it might be CSF:
Re: Could CSF be causing problems with Docker?
Hi Brook,
I've had the same problem and discovered it was from the CSF auto update functionality.
When CSF is updated it also reloads the IP tables rules which break the forwarding done by docker.
You can reproduce this by starting a docker container and then doing csf -r, the docker container will no longer be available. The only solution (which I found until now) is to restart the docker daemon and start up the container.
Hope this helps.
Cheers
I've had the same problem and discovered it was from the CSF auto update functionality.
When CSF is updated it also reloads the IP tables rules which break the forwarding done by docker.
You can reproduce this by starting a docker container and then doing csf -r, the docker container will no longer be available. The only solution (which I found until now) is to restart the docker daemon and start up the container.
Hope this helps.
Cheers
Re: Could CSF be causing problems with Docker?
This issue affects any iptables reloads as the docker rules are lost.
To resolve this create the following in /etc/csf/csfpre.sh
iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -N DOCKER
iptables -t filter -A FORWARD -o docker0 -j DOCKER
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
A csf -r will now reload the docker rules and networking inside the container should continue.
To resolve this create the following in /etc/csf/csfpre.sh
iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -N DOCKER
iptables -t filter -A FORWARD -o docker0 -j DOCKER
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
A csf -r will now reload the docker rules and networking inside the container should continue.
Re: Could CSF be causing problems with Docker?
We were also having problems with docker and CSF where we couldn't connect to ports inside the container. After trying many different methods outlined it turns out that CSF the config had this set:
ETH_DEVICE="eth0"
Removing eth0 from ETH_DEVICE so CSF could apply rules to all NICS fixed all our issues. Hopefully this will help anyone else having problems.
ETH_DEVICE="eth0"
Removing eth0 from ETH_DEVICE so CSF could apply rules to all NICS fixed all our issues. Hopefully this will help anyone else having problems.
Re: Could CSF be causing problems with Docker?
Thanks for that Marcele. Did you have to add any further iptables rules for specific ports? (If so do you have an example please?) Or did simply removing eth0 from ETH_DEVICE do the trick for you?marcele wrote: ↑20 Jul 2017, 12:49 We were also having problems with docker and CSF where we couldn't connect to ports inside the container. After trying many different methods outlined it turns out that CSF the config had this set:
ETH_DEVICE="eth0"
Removing eth0 from ETH_DEVICE so CSF could apply rules to all NICS fixed all our issues. Hopefully this will help anyone else having problems.
//
Side note: adding https://jsherz.com/docker/configserver/ ... ocker.html and https://github.com/sensson/puppet-csf/b ... _docker.sh for future reference.
//