firewalld and docker

Support for security such as Firewalls and securing linux
Post Reply
afonsodev
Posts: 1
Joined: 2019/11/20 10:09:34

firewalld and docker

Post by afonsodev » 2019/11/20 10:28:59

Hello all,

I've just installed docker on a CentOS host to run CKAN within containers.

The containers need to comunicate between them and only after running the following comand, I had success:

Code: Select all

firewall-cmd --set-default-zone=trusted
The host is not exposed to Internet yet, but it will be.

Before running the above command, this was the error when a container tried to connect to another container with PostgreSQL:

Code: Select all

ckan          | sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not connect to server: No route to host
ckan          |         Is the server running on host "db" (172.18.0.3) and accepting
ckan          |         TCP/IP connections on port 5432?
ckan          |
ckan exited with code 1
See the message "no route to host".

My question is. I want to set back the firewall to the public as default zone. What commands do I have to run to make the containers comunicate between them.

Here is the current firewalld config. Thanks!

Code: Select all

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule priority="32767" reject

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports: 5000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0 ens160
  sources:
  services:
  ports: 5000/tcp 5432/tcp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: firewalld and docker

Post by KernelOops » 2019/11/20 11:54:27

Sounds like you need to open port 5432/tcp like you've done to the trusted zone.

But you need to be sure that this is the correct way, because everyone on the internet will be able to access that port. If its to be used between containers, then maybe its not meant to be open to the public?
--
R.I.P. CentOS :cry:
--

Derpaphobia
Posts: 5
Joined: 2020/01/21 21:33:36

Re: firewalld and docker

Post by Derpaphobia » 2020/01/23 13:40:45

This is what I have and my containers seems to be able to communicate:

sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --permanent --zone=public --change-interface=docker0
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 4 -i docker0 -j ACCEPT
sudo firewall-cmd --permanent --zone=public --add-port=[YOURPORT]/tcp

Run the last one for every port you need to open, just remember to swap out "[YOURPORT]" for the actual port.. i.e. 5432.

And swap out the "docker0" network if you've named it something else

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld and docker

Post by TrevorH » 2020/01/23 14:11:01

If your container is running CentOS and has selinux enabled then you will need toggle the selinux boolean httpd_can_network_connect_db to be able to connect to database ports from Apache httpd or nginx.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld and docker

Post by aks » 2020/01/23 19:37:29

Yeah containers can make things complex (although I have no idea what CKAN containers are).

Are the containers running on the same container network?
Did you link/extra-host the containers?
How are you bringing the containers up (docker or aew you using compose)?
Are the containers on the same host?

Post Reply