[Shorewall-users] Shorewall is not blocking container traffic to internet

Jernej Vodopivec via Shorewall-users Sun, 08 Aug 2021 20:49:55 -0700

Hi,
I am running VM host with multiple docker containers. Each container has 
assigned isolated network. Traffic initiated from containers going out to 
internet is not blocked as expected by policy: REJECT



Curl run from host/VM.
#  curl -v https://www.sf.net
*   Trying 204.68.111.105:443...
* connect to 204.68.111.105 port 443 failed: Connection timed out
* Failed to connect to www.sf.net port 443: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to www.sf.net port 443: Connection timed out

Curl run from docker
/ # curl -v https://www.sf.net
*   Trying 204.68.111.105:443...
* Connected to www.sf.net (204.68.111.105) port 443 (#0)

Shorewall version running on Debian 11: 5.2.3.4-1

/etc/shorewall/policy
#SOURCE DEST            POLICY          LOGLEVEL        RATE    CONNLIMIT
$FW     net             DROP            $LOG_LEVEL
net     all             DROP            $LOG_LEVEL
# The FOLLOWING POLICY MUST BE LAST
all     all             REJECT          $LOG_LEVEL

/etc/shorewall/interfaces 
###############################################################################
#ZONE   INTERFACE       OPTIONS
net     ens192          
dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=ens192
dock    docker0         bridge
db_maria br-0637e091497f        
tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1
www1 br-7172e1291701 tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1
www2 br-33696d489f5a tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1

There is no ACCEPT rule in /etc/shorewall/rules. Even all host traffic is 
blocked unless explicitly permitted by »ACCEPT $FW net« rule.

Iptables rules
Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
net_frwd   all  --  0.0.0.0/0            0.0.0.0/0
dock_frwd  all  --  0.0.0.0/0            0.0.0.0/0
db_maria_frwd  all  --  0.0.0.0/0            0.0.0.0/0
www1_frwd  all  --  0.0.0.0/0            0.0.0.0/0
www2_frwd  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type BROADCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type ANYCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type MULTICAST
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "FORWARD REJECT "
reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
fw-net     all  --  0.0.0.0/0            0.0.0.0/0
fw-dock    all  --  0.0.0.0/0            0.0.0.0/0
fw-db_maria  all  --  0.0.0.0/0            0.0.0.0/0
fw-www1  all  --  0.0.0.0/0            0.0.0.0/0
fw-www2  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type BROADCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type ANYCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type MULTICAST
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "OUTPUT REJECT "
reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain db_maria-net (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type BROADCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type ANYCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type MULTICAST
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "db_maria-net REJECT "
reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain db_maria_frwd (1 references)
target     prot opt source               destination
dynamic    all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
INVALID,NEW,UNTRACKED
smurfs     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
INVALID,NEW,UNTRACKED
tcpflags   tcp  --  0.0.0.0/0            0.0.0.0/0
db_maria-net  all  --  0.0.0.0/0            0.0.0.0/0
db_maria-dock  all  --  0.0.0.0/0            0.0.0.0/0
db_maria-www1  all  --  0.0.0.0/0            0.0.0.0/0
db_maria-www2  all  --  0.0.0.0/0            0.0.0.0/0

Chain net_frwd (1 references)
target     prot opt source               destination
dynamic    all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
INVALID,NEW,UNTRACKED
smurfs     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
INVALID,NEW,UNTRACKED
tcpflags   tcp  --  0.0.0.0/0            0.0.0.0/0
net-dock   all  --  0.0.0.0/0            0.0.0.0/0
net-www1 all  --  0.0.0.0/0            0.0.0.0/0
net-www2  all  --  0.0.0.0/0            0.0.0.0/0

Chain reject (135 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
src-type BROADCAST
DROP       all  --  224.0.0.0/4          0.0.0.0/0
DROP       2    --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with 
tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            reject-with 
icmp-port-unreachable
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            reject-with 
icmp-host-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with 
icmp-host-prohibited


Chain net-db_maria (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type BROADCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type ANYCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
dst-type MULTICAST
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-db_maria DROP "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain dynamic (24 references)
target     prot opt source               destination

Chain smurflog (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "smurfs DROP "
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain smurfs (22 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0              0.0.0.0/0
smurflog   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE 
match src-type BROADCAST
smurflog   all  --  224.0.0.0/4          0.0.0.0/0           [goto]

Chain tcpflags (24 references)
target     prot opt source               destination
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x3F/0x29
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x3F/0x00
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x06/0x06
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x05/0x05
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x03/0x03
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
flags:0x19/0x09
logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 
flags:0x17/0x02

Docker is enabled in shorewall.conf.


This looks like a bug or I am missing something?

Regards,

Jernej

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Shorewall is not blocking container traffic to internet

Reply via email to