Hi Tom,
The prepatch attachment, is without any of the patches applied.
The postpatch attachment is with both.
Both ISOLATION chains are now present, but the DOCKER-USER chain is
possibly not quite right?
The diff on the two attachments is:
14d13
< DOCKER-USER all -- anywhere anywhere
16d14
< ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
17a16
> ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
64c63
< Chain DOCKER-USER (1 references)
---
> Chain DOCKER-USER (0 references)
131c130
< Chain sha-lh-f403b295f67a9c18fc2d (0 references)
---
> Chain sha-lh-dc82ddbfc1ff233a2203 (0 references)
134c133
< Chain sha-rh-1286fc964a7ee681a0d9 (0 references)
---
> Chain sha-rh-02fa7900a82998b95fdd (0 references)
Regards,
Tony.
On 27/10/2018 19:54, Tom Eastep wrote:
On 10/27/18 10:44 AM, Anthony Rogers wrote:
Hi Tom,
I have attached the iptables -L after a 'docker restart' and then after
running the shorewall script.
The diff of those two log files is:
14,16d13
< DOCKER-USER all -- anywhere anywhere
< DOCKER-ISOLATION-STAGE-1 all -- anywhere
anywhere
< ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
17a15
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
45c43
< Chain DOCKER-ISOLATION-STAGE-1 (1 references)
---
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
57,60d54
< Chain DOCKER-USER (1 references)
< target prot opt source destination
< RETURN all -- anywhere anywhere
<
124c118
< Chain sha-lh-e5cf36ce25c75630550b (0 references)
---
Chain sha-lh-a054db08bd2f8e099a19 (0 references)
127c121
< Chain sha-rh-f96c7a0b6585893a1b9f (0 references)
---
Chain sha-rh-3dc25e45009adb1cfa85 (0 references)
Regards,
Tony.
Okay - please apply the attached patch on top of the previous one.
Thanks Tony,
-Tom
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:domain
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-dc82ddbfc1ff233a2203 (0 references)
target prot opt source destination
Chain sha-rh-02fa7900a82998b95fdd (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:domain
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-f403b295f67a9c18fc2d (0 references)
target prot opt source destination
Chain sha-rh-1286fc964a7ee681a0d9 (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
