Shorewall+Docker: Due grandi gusti che stanno benissimo insieme

codinghorror · 24 Novembre 2015, 3:22am

As has been mentioned previously, we lurve us some Docker here at Discourse. We also lurve us some security, and I’ve recently been replacing our “artisinally handcrafted iptables firewall rules” with a Shorewall-managed configuration, which plays better with Puppet. Unfortunately, as it stands, like my twin three year olds, they don’t always play well. The…

This topic is for comments on the original blog entry at: http://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/

kpfleming · 25 Novembre 2015, 6:44pm

Big fan of Shorewall, been using it for a looong time.

John_Davidson · 21 Aprile 2016, 1:45pm

Docker has changed their iptables implementation so that the rules captured and replaced are no longer complete.

As a suggestion the revisions posted below should correct the issue and be more tolerant of future changes

/etc/shorewall/init and /etc/shorewall/stop should become

if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' > /etc/shorewall/docker_rules
    iptables -t nat -S | grep -i docker >> /etc/shorewall/docker_rules
    echo 'COMMIT' >> /etc/shorewall/docker_rules

    echo '*filter' >> /etc/shorewall/docker_rules
    iptables -t filter -S | grep -i docker >> /etc/shorewall/docker_rules
    echo 'COMMIT' >> /etc/shorewall/docker_rules
fi

and /etc/shorewall/start should be

if [ -f /etc/shorewall/docker_rules ]; then
    iptables-restore -n < /etc/shorewall/docker_rules

    rm -f /etc/shorewall/docker_rules
fi

jdeyton · 19 Dicembre 2020, 7:47am

Scusate la necromanzia del thread, ma dato che questo è ciò che ha fatto funzionare i miei servizi swarm con shorewall, qualcuno potrebbe trovare utili queste note aggiuntive.

Gli script sopra potrebbero funzionare o meno come previsto per le vostre esigenze, e questo perché quando eseguite iptables -S vi restituisce le regole in formato append. Se le vostre regole shorewall sono piuttosto aggressive come le mie, un semplice append significa che probabilmente riceverete un DROP molto prima di raggiungere una delle catene iptables specifiche di Docker.

Ecco le mie modifiche per prepend le regole invece:

Ecco /etc/shorewall/{init,stop}:

rules=/etc/shorewall/.docker_rules
if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' > $rules
    iptables -t nat -S | grep -i docker > $rules.nat
    grep '^-N' $rules.nat >> $rules
    tac $rules.nat | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.nat
    echo 'COMMIT' >> $rules

    echo '*filter' >> $rules
    iptables -t filter -S | grep -i docker > $rules.filter
    grep '^-N' $rules.filter >> $rules
    tac $rules.filter | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.filter
    echo 'COMMIT' >> $rules
fi

Ecco invece /etc/shorewall/start:

rules=/etc/shorewall/.docker_rules
if [ -f $rules ]; then
    iptables-restore -n < $rules
    rm -f $rules
fi

Argomento		Risposte	Visualizzazioni
Discourse failing to start due to docker/iptables issue Self-hosting docker	1	70	Luglio 5, 2024
Nftables rules for hardening Discourse installation Self-hosting	4	2617	Marzo 12, 2026
Centos 7 - Docker and FirewallD Self-hosting docker , email	8	8992	Agosto 4, 2021
Docker 1.5.0 has issues with iptables Support	12	4376	Febbraio 20, 2015
How to use `iptables` inside Discourse docker container Self-hosting hosting	3	11107	Dicembre 17, 2019

Shorewall+Docker: Due grandi gusti che stanno benissimo insieme

Argomenti correlati