Hi Tom,
I have attached the iptables -L after a 'docker restart' and then after
running the shorewall script.
The diff of those two log files is:
14,16d13
< DOCKER-USER all -- anywhere anywhere
< DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
< ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
17a15
> ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
45c43
< Chain DOCKER-ISOLATION-STAGE-1 (1 references)
---
> Chain DOCKER-ISOLATION-STAGE-1 (0 references)
57,60d54
< Chain DOCKER-USER (1 references)
< target prot opt source destination
< RETURN all -- anywhere anywhere
<
124c118
< Chain sha-lh-e5cf36ce25c75630550b (0 references)
---
> Chain sha-lh-a054db08bd2f8e099a19 (0 references)
127c121
< Chain sha-rh-f96c7a0b6585893a1b9f (0 references)
---
> Chain sha-rh-3dc25e45009adb1cfa85 (0 references)
Regards,
Tony.
On 27/10/2018 18:23, Tom Eastep wrote:
On 10/27/18 4:26 AM, Anthony Rogers wrote:
Hi Tom,
I'm just working through this.
I'm a bit new to both Docker and Shorewall!
I think there's a minor typo in the patch file on line 60. ' > &3'
should be '>&3', or the script errors.
First I ran against Docker version 18.03.0-ce as a regression test.
I fixed the patch file inside the container and 'shorewall restart' ran OK.
I noticed that the DOCKER-USER chain was removed, however I don't
currently use it, so this might not be a problem.
On upgrading to Docker version 18.06.1-ce, the unpatched Shorewall
removed the ISOLATION chains as expected.
After applying the patch, the ISOLATION rules were retained, although
again the DOCKER-USER chain was removed.
Further, I was able to both create new networks both manually and also
as part of spinning up a new container.
The patch seems to have worked (subject to the typo), so many thanks for
your prompt help.
Regards,
Tony.
Thanks, Tony. When the DOCKER-USER chain is present, where is it jumped
to from?
Thanks,
-Tom
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-a054db08bd2f8e099a19 (0 references)
target prot opt source destination
Chain sha-rh-3dc25e45009adb1cfa85 (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-e5cf36ce25c75630550b (0 references)
target prot opt source destination
Chain sha-rh-f96c7a0b6585893a1b9f (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
