On 08/08/2017 08:42 PM, Roland Schmid wrote: > Hi Tom, > > Thanks for the response, sadly didn't work. > Please find the 2 requested shorewall dumps attached >
Docker isn't installing any meaningful rules. From the first dump: In the filter table, both the DOCKER and DOCKER-ISOLATION chains are empty. Chain DOCKER (0 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION (0 references) pkts bytes target prot opt in out source destination In the nat table: Chain PREROUTING (policy ACCEPT 49 packets, 2913 bytes) pkts bytes target prot opt in out source destination 105 6506 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL That sends all incoming connection requests that have a LOCAL destination (address on the firewall) to the DOCKER chain. Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Same for outgoing connection to a local destination other than the loopback network. For some unknown reason, that rule is repeated 12 times. Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 After routing, all connection requests from 172.17.0.0/16 whose destination is not the docker0 bridge, are masqueraded. Chain DOCKER (13 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 The DOCKER chain does nothing but return for connections originating in a container. All of that nonsense is preserved when Shorewall starts, which is what Shorewall attempts to do when DOCKER=Yes. In addition, Shorewall creates many rules in the DOCKER-ISOLATION chain, but since Docker isn't generating any jumps to that chain, those rules are ignored. This is totally unlike anything I've seen from Docker. I've changed the Subject in this response in the hope that someone who knows more about Docker than I do can help. In the meantime, I suspect that this will work if you add DNAT rules for the traffic that you wish to forward from the wan zone to the dock zone. I normally see those rules generated by Docker itself. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users