How to block non-local traffic?

[panomitrius]

I realized this script exposes all docker containers to traffic from everywhere. How can I modify it to only allow local traffic while not opening up to global access?

[luison]

We are also struggling with this. Our intention is to maintain CSF "in front of docker so only opened ports in CSF are open to external IPs not in allowed lists or dynamic.

So far we've managed to do it by adding accept rules to the output of all of the docker interfaces.

@juli3nk scripts is actually very efficient but treats NAT the same way as CSF, this is NAT is non-firewalled. And creates all opened ports in docker as DNAT rule.

It would be great to see an alternative option.

[barart]

need this too... does somebody knows how to do this?

[emielmolenaar]

I've hacked together a small solution for this problem; unfortunately it involves editing the original script. See https://github.com/emielmolenaar/csf-post-docker/commit/1d34117baf98a1ada6921f0609dbc911e0246700 .

I'm by no means an iptables / csf expert so please let me know if this isn't the way to go!