On 8/20/23 10:05, Oleg Cherkasov wrote:
On 19.08.2023 16:48, Alex wrote:
Hi,
I'm a long-time Linux sysadmin but haven't done much with docker and
containers or firewalls beyond iptables. I have inherited a fedora38
system where another admin has installed python3-docker, but port
8080 is now exposed to the Internet.
I have a basic iptables firewall that I set up some time ago (when
the system was probably fedora35), but iptables also shows some
docker rules:
# iptables -nvL|grep ^Chain|grep DOCKER
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
Where do these chains/policies come from? Is it also an iptables
firewall or is it using ufw?
Why wouldn't it use firewall-cmd? Isn't that the default desktop
firewall app now for fedora?
The docker doesn't play well with ufw or firewalld, in my experience.
It customizes rules directly, which makes it difficult to control with
publicly available networks. The simplest way to do firewall
customization is to turn off firewall customization in the docker and
do it manually.
Firstly, update docker.service to include the following option
(--iptables=false):
/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd://
--containerd=/run/containerd/containerd.sock
--iptables=false
Restart the Docker service and verify the existence of the Docker zone
if using firewalld:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-custom1 br-custom2 docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Add the available docker bridge interfaces (br-custom* and docker0) to
the docker zone. Check if the target zone is ACCEPT instead of default.
I hope that helps.
You could always switch to using Podman, which will not open the port on
the host by default.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue