search

moby / libnetwork

networking for containers
Apache License 2.0
2.16k stars 879 forks source link

firewalld docker zone not working to reject request #2651

Open xflu opened 2 years ago

xflu commented 2 years ago

Hi, I run an nginx container by docker-compose . I can visit it using http://192.168.222.230/ .

Then I add a reject rule to docker zone.

firewall-cmd --zone=docker --permanent --add-rich-rule='rule family="ipv4" source address="192.168.222.1" port protocol="tcp" port="80" reject'
firewall-cmd  --complete-reload

However, I still can visit http://192.168.222.230/ from 192.168.222.1 .

Can someone tell me what's the problem? How to make it work?

OS:CentOS Linux release 7.6.1810 (Core) firewall-cmd version: 0.5.3 Docker version 20.10.12, build e91ed57

docker-compose.yml 

version: "3.9"
services:
  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "80:80"

firewall-cmd --get-active-zones

docker
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
mock_docker
  interfaces: ens33

firewall-cmd --zone=docker --list-all

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0 br-c6d4a486127d br-6e7f995ee7b1
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.222.1" port port="80" protocol="tcp" reject
SuperCuber commented 2 years ago

I tried a different approach which didn't work either:

# firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: ens3
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: dhcpv6-client http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I would expect an incoming connection from ens3 to be blocked on ports which aren't listed in services: but for example a container listening on port 5000 does not get blocked. (a native process listening on port 5000 does get blocked successfully)

How is this supposed to be done? There's no documentation on it other than "yay docker creates its own zone now"

xflu commented 2 years ago

@SuperCuber Finally, I realized that by iptables, according to docker ducument.

Now only some ip address can access the docker container mapped port.

However, I would still like to know how to achieve the same effect with Firewalld.

Ruppsn commented 2 years ago

Same "Problem" here. I do not understand how this rich rules should work. It works if i user direct rules but since they are already depricated by firewalld i dont want to use them. I coulndt find anything about it in the firewalld documenation.

Is there a best practise to handle docker/docker swarm with firewalld rich rules? I dont want to open a port for everyone.