> Thanks Matt. > > Yes - if I do a shorewall clear, it's possible to access the host from > inside the docker container. The > default docker iptables config seems to support this. However, when I > enable shorewall (with docker > support), it's not possible. > > It really seems like some interaction between the docker iptables > functionality and the shorewall > iptables functionality is causing the problem and more specifically, on > the return path from the service > running on the host to the docker container.
Maybe you have to configure docker so that it doesn't fiddle with the iptables config? Simon > > It could be something of an edge case as mostly the point of having > containers is to have (some) > isolation from the host but we think it prob should be possible to eg > access stuff from inside the > containers which is accessible from anywhere on the internet. > > Thanks for any insights. > > BR, > Sean. > > __________________________________ > Sean Murphy > Senior Platform Engineer > sean.mur...@datahouse.ch > T +41 44 289-84-22 > www.datahouse.ch > Linkedin | YouTube > __________________________________ > > > ________________________________________ > From: Matt Darfeuille <m...@shorewall.org> > Sent: Wednesday, March 19, 2025 8:19 PM > To: shorewall-users@lists.sourceforge.net > <shorewall-users@lists.sourceforge.net> > Subject: Re: [Shorewall-users] Problems accessing host from docker > container running on host > > [You don't often get email from m...@shorewall.org. Learn why this is > important at https://aka.ms/LearnAboutSenderIdentification ] > > On 3/19/25 10:49, Sean Murphy via Shorewall-users wrote: >> Hi all,, >> >> We have been (ab)using shorewall for some years now and we're v happy >> with it - >> thanks everyone and Tom in particular for such a great tool. >> >> We have been using it to manage security for a set of VMs running >> applications >> with docker-compose. Almost all of our hosts have a single external >> network >> interface; this is perhaps not the use case for which shorewall was >> designed >> but it has been working for us so far. >> >> We now have a scenario which is proving more difficult: we want to >> access a >> service running on a host from within a container. >> >> We have tried the most open configuration possible - a policy with >> all:all >> ACCEPT and no rules; it seems the service is accessible from anywhere >> except >> inside the docker container. >> >> Accessing the service from inside the container results in timeouts, so >> presumably >> the packets are being dropped somewhere. We tried ping, ssh (on standard >> ports) >> and an http service running on a high port number. >> >> Zone configuration: >> root@dhit-disposable01:/etc/shorewall# cat zones >> ############################################################################### >> #ZONE TYPE OPTIONS >> IN OUT >> # >> OPTIONS OPTIONS >> fw firewall >> net ipv4 >> dock ipv4 >> >> Interface configuration: >> root@dhit-disposable01:/etc/shorewall# cat interfaces >> ############################################################################### >> ?FORMAT 2 >> ############################################################################### >> #ZONE INTERFACE OPTIONS >> net eth physical=eth+,dhcp,nosmurfs >> net en physical=en+,dhcp,nosmurfs >> dock docker0 physical=docker+,routeback=1 >> dock br physical=br-+,routeback=1 >> >> Policy configuration: >> root@dhit-disposable01:/etc/shorewall# cat policy >> #SOURCE DEST POLICY LOGLEVEL LIMIT >> all all ACCEPT >> >> Rules configuration: >> root@dhit-disposable01:/etc/shorewall# cat rules >> #ACTION SOURCE DEST PROTO DPORT >> # No rules >> >> Docker configuration as per shorewall.conf >> root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf >> # Default shorewall config, except for DOCKER=Yes (and this comment). >> DOCKER=Yes >> DOCKER_BRIDGE=docker0 >> >> I did shorewall compile, safe-reload and then restarted the docker >> deamon but >> the packets still seem to be being dropped. I tried iptables-tracer [1] >> to get some >> info on where they disappear and it seems packets are being dropped on >> the >> return path. > > If you do a `shorewall clear`, does it work at all? > > > Note that the project is unmaintained. > > -- > Matt Darfeuille <m...@shorewall.org> > Unmaintained project, no more releases or bug fixes > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
