On 08/08/2017 08:42 PM, Roland Schmid wrote: > Hi Tom, > > Thanks for the response, sadly didn't work. > Please find the 2 requested shorewall dumps attached >
Docker isn't installing any meaningful rules. From the first dump:
In the filter table, both the DOCKER and DOCKER-ISOLATION chains are empty.
Chain DOCKER (0 references)
pkts bytes target prot opt in out source
destination
Chain DOCKER-ISOLATION (0 references)
pkts bytes target prot opt in out source
destination
In the nat table:
Chain PREROUTING (policy ACCEPT 49 packets, 2913 bytes)
pkts bytes target prot opt in out source
destination
105 6506 DOCKER all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type LOCAL
That sends all incoming connection requests that have a LOCAL
destination (address on the firewall) to the DOCKER chain.
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
0 0 DOCKER all -- * * 0.0.0.0/0
!127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Same for outgoing connection to a local destination other than the
loopback network. For some unknown reason, that rule is repeated 12 times.
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16
0.0.0.0/0
After routing, all connection requests from 172.17.0.0/16 whose
destination is not the docker0 bridge, are masqueraded.
Chain DOCKER (13 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- docker0 * 0.0.0.0/0
0.0.0.0/0
The DOCKER chain does nothing but return for connections originating in
a container.
All of that nonsense is preserved when Shorewall starts, which is what
Shorewall attempts to do when DOCKER=Yes. In addition, Shorewall creates
many rules in the DOCKER-ISOLATION chain, but since Docker isn't
generating any jumps to that chain, those rules are ignored.
This is totally unlike anything I've seen from Docker. I've changed the
Subject in this response in the hope that someone who knows more about
Docker than I do can help.
In the meantime, I suspect that this will work if you add DNAT rules for
the traffic that you wish to forward from the wan zone to the dock zone.
I normally see those rules generated by Docker itself.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
