Re: [Shorewall-users] docker rules

Sun, 17 Apr 2016 06:46:58 -0700 

On 04/15/2016 05:22 PM, Tom Eastep wrote:
> On 04/12/2016 09:36 AM, Farkas Levente wrote:
>> hi,
>> i see now shorewall supports docker and i read the docs:
>> http://shorewall.net/Docker.html
>> after i install it and compare the generated iptable rules and the
>> differences:
>> - shorewall create more rules then what docker itself add does really
>> all rules required?
>>
>> - after i stop docker use the shorewall generated rules and start again
>> docker it's add one more rule (so probably others are enough to use
>> docker). but this rule shouldn't have to be added by shorewall?
>> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 
> The reason that Shorewall generates that rule is to handle *Shorewall*
> restart.

the above rule was generated by docker not shorewall what's more this
rule not generated at all by shorewall ie this is the plus rule relative
to shorewall.

anyway here is a list of generated rules buy docker (without shorewall
generate any rules).
- it's create one new chain called "DOCKER" and these riles:

-------------------------------
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-------------------------------
and these are the shorewall generated new chains:
-------------------------------
:dmz-dock - [0:0]
:dock-fw - [0:0]
:dock-world - [0:0]
:dock_frwd - [0:0]
:fw-dock - [0:0]
:net-dock - [0:0]
:world-dock - [0:0]
-------------------------------
an the rules:
-------------------------------
-A INPUT -i docker0 -j dock-fw
-A FORWARD -i docker0 -j dock_frwd
-A OUTPUT -j DOCKER
-A OUTPUT -o docker0 -j fw-dock
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
80 -j ACCEPT
-A dmz-dock -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A dmz-dock -j Reject
-A dmz-dock -g reject
-A dmz_frwd -o docker0 -j dmz-dock
-A dock-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A dock-fw -p tcp -j tcpflags
-A dock-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A dock-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
-A dock-fw -p udp -m udp --dport 33434:33524 -m comment --comment Trcrt
-j ACCEPT
-A dock-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Trcrt -j
ACCEPT
-A dock-fw -j Reject
-A dock-fw -g reject
-A dock-world -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A dock-world -j ACCEPT
-A dock_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A dock_frwd -p tcp -j tcpflags
-A dock_frwd -o docker0 -j ACCEPT
-A dock_frwd -o br0 -j dock-world
-A fw-dock -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-dock -j ACCEPT
-A net-dock -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-dock -j Drop
-A net-dock -j LOG --log-prefix "Shorewall:net-dock:DROP:"
-A net-dock -j DROP
-A net_frwd -o docker0 -j net-dock
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A world-dock -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A world-dock -j Reject
-A world-dock -g reject
-A world_frwd -o docker0 -j world-dock
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport
443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport
80 -j MASQUERADE
-A POSTROUTING -j SHOREWALL
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 172.17.0.3:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
172.17.0.3:80
-------------------------------
i don't know why those 80, 443, MASQUERADE and DNAT rules.
regards.

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to