DEV Community

Cover image for Adding FIREWALL to Docker
manish srivastava
manish srivastava

Posted on

Adding FIREWALL to Docker

#devops #docker #beginners #linux

This is going to solve problems of many Devops engineers looking for Firewall Security for their containers.

Following are my previous articles on Docker Security:

manishfoodtechs

Why hackers 'first love' a docker container? Hacking Docker

manish srivastava ・ Jun 4 '20

#docker #linux #showdev #devops

and

manishfoodtechs

New Type of Docker : Rootless + Safer : for every Docker user.

manish srivastava ・ Jun 1 '20

#docker #linux #devops #showdev

Docker does not prevent one from doing Host Firewall implementation; rather, it adds to the complexity. This guide is indented to add host firewall to docker.

STEP 1

(a)Navigate to /etc/systemd/system/ and create a directory named docker.service.d
(b) create a file noiptables.conf and add the following content:

[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
Enter fullscreen mode Exit fullscreen mode

STEP 2

(a) Restart Docker
(b) check iptables -L -n -v (If everything Okay you will not see any rules :) )

STEP 3

(a) RUN apt-get install iptables-persistent

After running this, you will be prompted to save your IPv4, and then your IPv6 rules to two files, /etc/iptables/rules.v4 and /etc/iptables/rules.v6 respectively.

In order to give IPv4 Internet Access to all the containers, the server must perform NAT.To do that, in the beginning of the rules.v4 file, add the following:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j masquerade
COMMIT
And then below it,
Enter fullscreen mode Exit fullscreen mode

After you’re finished, your rules.v4 / rules.v6 file will look something like this:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# ICMP
-A INPUT -p icmp -j ACCEPT

# Docker
-A FORWARD -i docker0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT

# Incoming
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP

# Outgoing
-A OUTPUT -j ACCEPT

# Routing
-A FORWARD -j DROP

COMMIT
Enter fullscreen mode Exit fullscreen mode

Of course, you must replace eth0 with your outbound network interface if it is different than eth0.
After you complete that, restart the firewall via netfilter-persistent reload, and you’re good to go!

Click here for joining my team

Read More here

Top comments (0)

Read next

mikeyoung44 profile image

EmbodiedRAG: Dynamic Scene Graphs for Efficient Robot Task Planning in Real-World Environments

Mike Young -

scofieldidehen profile image

ERC 2335 - Encrypting Private Keys

Scofield Idehen -

mikeyoung44 profile image

Logits of API-Protected LLMs Reveal Proprietary Model Details, Researchers Find

Mike Young -

felix_kagecha_dfabd365a01 profile image

SEMANTIC HTML AND ACCESIBILITY

felix kagecha -