Open Wildcarde opened 8 years ago
Puppet ends up removing docker rules due to the purge issued in the check for firewall pre/post check turning this (iptables -S output):
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION -A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT -A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT -A INPUT -m comment --comment "002 accept established related rules" -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - 1" -j ACCEPT -A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - Building" -j ACCEPT -A INPUT -s x.x.x.x -p tcp -m multiport --dports 80 -m comment --comment "080 nginx http request - Wired" -j ACCEPT -A INPUT -m comment --comment "99999 drop remaining inputs" -j DROP -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -m comment --comment "99999 drop remaining forwards" -j DROP
into this:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION -A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT -A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT -A INPUT -m comment --comment "002 accept established related rules" -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - 1" -j ACCEPT -A INPUT -s x.x.x.x -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh traffic - Building" -j ACCEPT
Off hand I'm not sure how to fix this yet but it breaks some of the usability here pretty badly (in this admittedly very specific usecase).
Puppet ends up removing docker rules due to the purge issued in the check for firewall pre/post check turning this (iptables -S output):
into this:
Off hand I'm not sure how to fix this yet but it breaks some of the usability here pretty badly (in this admittedly very specific usecase).