Shorewall+Docker: Two Great Tastes That Taste Great Together


(Jeff Atwood) #1

As has been mentioned previously, we lurve us some Docker here at Discourse. We also lurve us some security, and I’ve recently been replacing our “artisinally handcrafted iptables firewall rules” with a Shorewall-managed configuration, which plays better with Puppet. Unfortunately, as it stands, like my twin three year olds, they don’t always play well. The…


This topic is for comments on the original blog entry at: Shorewall+Docker: Two Great Tastes That Taste Great Together


(Kevin P. Fleming) #2

Big fan of Shorewall, been using it for a looong time.


(John Davidson) #3

Docker has changed their iptables implementation so that the rules captured and replaced are no longer complete.

As a suggestion the revisions posted below should correct the issue and be more tolerant of future changes

/etc/shorewall/init and /etc/shorewall/stop should become

if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' > /etc/shorewall/docker_rules
    iptables -t nat -S | grep -i docker >> /etc/shorewall/docker_rules
    echo 'COMMIT' >> /etc/shorewall/docker_rules

    echo '*filter' >> /etc/shorewall/docker_rules
    iptables -t filter -S | grep -i docker >> /etc/shorewall/docker_rules
    echo 'COMMIT' >> /etc/shorewall/docker_rules
fi

and /etc/shorewall/start should be

if [ -f /etc/shorewall/docker_rules ]; then
    iptables-restore -n < /etc/shorewall/docker_rules

    rm -f /etc/shorewall/docker_rules
fi