Applying docker / discourse iptables rules when using csf firewall


(Fabian Santiago) #1

hello again. using discourse running via docker on centos 7.4. i use csf via webmin as my firewall frontend.

so i’ve noticed that allowing csf to auto-update itself forces a csf restart each update which then breaks the docker’s networking until i restart docker, to have its own iptables rules re-applied. which ultimately causes issues with my instance of discourse.

i’ve read about using the built in csf function csfpre.sh to define rules to be automatically applied at each csf restart.

how can i interpret the rules precisely as docker applies them to place into csfpre.sh? any suggestions? Thanks.


(Jay Pfaffman) #2

My suggestion would be to use Ubuntu.

What you describe isn’t really a Discourse issue, but a Docker and CentOS issue. Few people here use CentOS because of problems like this.

I’d recommend asking on a Docker or CentOS site.


(Fabian Santiago) #3

Hello,

thanks. i get that and have been told that. i’m not really suggesting that it was discourse’s problem. i’m really just asking in iptables speak, what are the discourse rules applied, as they pertain to using discourse, to the iptables firewall that i can then transpose into the csf file myself for pre-loading?

or is that simply a bad question on my part?

thanks.


(Jay Pfaffman) #4

It’s a bad question here because Discourse does nothing with iptables. (It seems like a very good question somewhere else, though!)

pfaffman@balloon:~/src/discourse_docker$ sudo find .  -type f -exec grep -l iptables \{\} \;                                            
./README.md
pfaffman@balloon:~/src/discourse$ sudo find .  -type f -exec grep -l iptables \{\} \;
pfaffman@balloon:~/src/discourse$ 

(T. H. Wright) #5

I was looking for information on how to get CSF/LFD to track failed logins on Discourse when I ran across your post.
While it may not be the most preferable solution, you could use csfpost to restart docker each time csf restarts with the following. I have been using it for a while now.

cat /etc/csf/csfpost.sh

#!/bin/bash
systemctl restart docker