As has been mentioned previously, we lurve us some Docker here at Discourse. We also lurve us some security, and I’ve recently been replacing our “artisinally handcrafted iptables firewall rules” with a Shorewall-managed configuration, which plays better with Puppet. Unfortunately, as it stands, like my twin three year olds, they don’t always play well. The…
This topic is for comments on the original blog entry at: http://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/
8 个赞
kpfleming
2015 年11 月 25 日 18:44
2
Big fan of Shorewall, been using it for a looong time.
2 个赞
Docker has changed their iptables implementation so that the rules captured and replaced are no longer complete.
As a suggestion the revisions posted below should correct the issue and be more tolerant of future changes
/etc/shorewall/init and /etc/shorewall/stop should become
if iptables -t nat -L DOCKER >/dev/null 2>&1; then
echo '*nat' > /etc/shorewall/docker_rules
iptables -t nat -S | grep -i docker >> /etc/shorewall/docker_rules
echo 'COMMIT' >> /etc/shorewall/docker_rules
echo '*filter' >> /etc/shorewall/docker_rules
iptables -t filter -S | grep -i docker >> /etc/shorewall/docker_rules
echo 'COMMIT' >> /etc/shorewall/docker_rules
fi
and /etc/shorewall/start should be
if [ -f /etc/shorewall/docker_rules ]; then
iptables-restore -n < /etc/shorewall/docker_rules
rm -f /etc/shorewall/docker_rules
fi
4 个赞
jdeyton
2020 年12 月 19 日 07:47
4
抱歉挖坟,但由于这些内容让我的 Swarm 服务与 Shorewall 配合工作,其他人可能会觉得这些补充说明很有用。
上述脚本可能无法按预期满足您的需求,这是因为当您运行 iptables -S 时,它会以追加 格式返回规则。如果您的 Shorewall 规则像我的那样相当激进,简单的追加意味着您可能在到达任何 Docker 特定的 iptables 链之前就会遇到 DROP 规则。
以下是我对前置 规则的修改:
以下是 /etc/shorewall/{init,stop} 的内容:
rules=/etc/shorewall/.docker_rules
if iptables -t nat -L DOCKER >/dev/null 2>&1; then
echo '*nat' > $rules
iptables -t nat -S | grep -i docker > $rules.nat
grep '^-N' $rules.nat >> $rules
tac $rules.nat | sed -n 's/^-A \([^ ]\+ \)/-I \1 1 /p' >> $rules
rm -f $rules.nat
echo 'COMMIT' >> $rules
echo '*filter' >> $rules
iptables -t filter -S | grep -i docker > $rules.filter
grep '^-N' $rules.filter >> $rules
tac $rules.filter | sed -n 's/^-A \([^ ]\+ \)/-I \1 1 /p' >> $rules
rm -f $rules.filter
echo 'COMMIT' >> $rules
fi
以下是 /etc/shorewall/start 的内容:
rules=/etc/shorewall/.docker_rules
if [ -f $rules ]; then
iptables-restore -n < $rules
rm -f $rules
fi