Docker support?

[tankerkiller125]

It seems that APF doesn't support docker in that if you enable APF docker containers are no longer accessible/can't access the internet. Is there any way to resolve this?

[leesherry]

Docker issues IPTables rules / forwarding when containers are created depending on the configuration of the container, so if you start apf it flushes these rules. If you restart docker it will re-issue the docker modifications. However that isn't really convenient.

If you search google there are a few options, one of which is using APF post_rules and disabling dockers iptables automation. I think if you run docker, and then issue iptables-save you will see what items you would need to add to the post rules in apf.

Its not just APF that is having this issue, its an issue with dockers implementation. Be careful, even when having an iptables firewall active, creating a container with ports configured will open up those ports in the firewall.

If anybody has an automated solution for docker/apf i really interested to use.

[carlosbustillordguez]

I use the following approach by modifying /etc/cron.daily/apf-firewall :

#! /bin/sh

. /etc/default/apf-firewall
if [ "x$RUN" != "xyes" ] ; then
        exit 0
fi

/sbin/iptables-save -t filter | egrep "filter|FORWARD|DOCKER|docker|COMMIT" > /tmp/iptables-save-filter-tables-docker
/sbin/iptables-save -t nat > /tmp/iptables-save-nat-tables-docker

/usr/sbin/apf -f >> /dev/null 2>&1
/usr/sbin/apf -s >> /dev/null 2>&1

/sbin/iptables-restore -c -n < /tmp/iptables-save-filter-tables-docker
/sbin/iptables-restore -c -n < /tmp/iptables-save-nat-tables-docker

Also, you need configure Docker to start after apf-firewall, for this add the file /etc/systemd/system/docker.service.d/override.conf with the following content:

[Unit]
After=network-online.target apf-firewall.service containerd.service

[jasonwee]

When you flush, all rules gone, and when you start, the rules are setup.. then you restore docker rules, won't there be duplicate of rules since -n is specified?

Also when restoring the filter table, the docker rules are not restore though.. tested this in almalinux 8, maybe just me. Please take a look, https://github.com/jasonwee/advanced-policy-firewall/pull/5/commits/6e79b63172d8f8eb4858b40839ceaa1c92da8ed9

I resort to just restart docker https://github.com/jasonwee/advanced-policy-firewall/pull/5/files for 2 reasons. Guaranteed container works. No duplicates rules or shield from future any changes to docker rules or iptables/netfilter.

[carlosbustillordguez]

When you flush, all rules gone, and when you start, the rules are setup.. then you restore docker rules, won't there be duplicate of rules since -n is specified?

I think the rules are not duplicated because the following flush all rules:

/usr/sbin/apf -f >> /dev/null 2>&1

I faced the problem with duplicated rules but was due to the iptables version, I noted that apf-firwall doesn't work fine with nf_tables.

[jasonwee]

I faced the problem with duplicated rules but was due to the iptables version, I noted that apf-firwall doesn't work fine with nf_tables.

for me, when the nat rules reloaded in almalinux 8, it did not flush, i had to load the module iptable_nat, this is also in my patch too.