docker with disable iptables and csf firewall

Post Reply
ale-ab
Junior Member
Posts: 14
Joined: 17 Dec 2014, 22:25

docker with disable iptables and csf firewall

Post by ale-ab »

Hello,
i try to use csf firewall with docker
i read some tutorial, and i create a working solutions but i have a small problem...

m S.O. is almalinux 9

of course i try to enable
DOCKER = 1
in csf.conf but doesn't work.

so i use this setings and work
nano /etc/docker/daemon.json

Code: Select all

{
"iptables": false
}
nano /etc/csf/csfpost.sh

Code: Select all

#!/bin/bash

PATH=/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
# si trova da ssh con comando : echo $PATH

echo "[DOCKER] Setting up FW rules."

iptables -N DOCKER

bridges=`docker network ls -q --filter='Driver=bridge'`

for bridge in $bridges; do
    DOCKER_NET_INT=`docker network inspect -f '{{"'br-$bridge'" | or (index .Options "com.docker.network.bridge.name")}}' $bridge`
    subnet=`docker network inspect -f '{{(index .IPAM.Config 0).Subnet}}' $bridge`

iptables -t nat -A POSTROUTING -s $subnet ! -o $DOCKER_NET_INT -j MASQUERADE
iptables -t filter -A FORWARD -o $DOCKER_NET_INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i $DOCKER_NET_INT ! -o $DOCKER_NET_INT -j ACCEPT
iptables -t filter -A FORWARD -i $DOCKER_NET_INT -o $DOCKER_NET_INT -j ACCEPT
done

echo "[DOCKER] Done."
of course every time i use run a docker i need to restart csf so i often use
docker compose up -d && csf -ra

so for now works all ok, block port 81 (webgui nginx proxy manager) from all internet except for my "whitelist ip"
instead port 80,443 is fully opened.

only problem i found is in nginx proxy log i read
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 172.18.0.1] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"
so client is gateway of docker network 172.18.0.1

instead if i enable iptables in docker and disable csf firewall i read in log
[25/May/2023:04:52:39 +0000] - 200 200 - GET https xxx.yyy.tld "/dashboard" [Client 1.2.3.4] [Length 906] [Gzip 2.13] [Sent-to docker-name] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0" "-"

so client is exactly public ip of my decvice...
i think problem is rules FORWARD (or MASQUERADE) but i can't find a solution for this...

can someone help me?

i try with
https://github.com/juli3nk/csf-post-doc ... /docker.sh
but after all container don't work...

thank you in advance
Post Reply