Implementing an iptables firewall kills the ability for outgoing emails


(Marco Jakobs) #1

Hi,

I wanted to implement my “standard firewall” also to my Discourse VM’s to enable traffic to the SSH port only from my approved IP’s. So I’ve enabled any outgoing traffic from my VM and enabled incoming for ports 443, 80 and 22 (last is limited to my approved IPs).

All works quite well, but then I’ve noticed that my outgoing emails to my email server are not working at all. Crazy enough as I’ve allowed outgoing connections from my VM.

My firewall setup includes the interfaces which I find with ifconfig:

  • eth0: Main interface to the outside world, that’s my public IP
  • docker0: Seems to be created by Discourse, IP 172.17.0.1/16. Not a real idea what’s the purpose of this (virtual) interface?!?
  • lo (as usual …)

Any ideas what’s wrong here?


(Matt Palmer) #2

Your firewall doesn’t account for the Docker networking. docker0 isn’t created by Discourse, it’s created by Docker, which Discourse uses to run. I see much reading in your future… you’ll have to learn about Docker’s automatic firewall rule creation, and firewalling in a bridged networking world.


(Marco Jakobs) #3

Hi Matt,

not sure if there is much time for reading deep into that … my forum is the only one which is using Docker and honestly I just need to understand as much as I need to run that … that’s private stuff and I currently have quite many things in my reading queue with a higher priority :wink:

Any idea which rules I need to create in my firewall script? I’m using FWBuilder to maintain my Linux firewalls and obiously creating the network card “docker0” which I see in the VM’s config with rights to communicate with the outside world does not help.

So still the right hint is missing … or does this not work in conjunction with a firewall script?


(Matt Palmer) #4

I’ve never used FWBuilder, so I have no idea how to configure it. Perhaps someone on the Internet uses FWBuilder and Docker together?