Thanks for the tip Winston - particularly relating to the deltas; I suspect it's something relating to docker-shorewall interactions, so I'll try to focus on this.
The host is a VM. The zones we have are: - Docker (for traffic on the docker bridges) - Fw for the host/VM - Net for traffic with source/dest outside the machine I'll have a look into the change detection methods you flagged to see if I can see something there. BR, Sean. __________________________________ Sean Murphy Senior Platform Engineer sean.mur...@datahouse.ch T +41 44 289-84-22 www.datahouse.ch Linkedin | YouTube __________________________________ ________________________________________ From: Winston Sorfleet <w...@romanus.ca> Sent: Thursday, March 20, 2025 6:23 PM To: shorewall-users@lists.sourceforge.net <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Problems accessing host from docker container running on host [You don't often get email from w...@romanus.ca. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Pending my previous question about whether the VM and the host are in the same zone, you might bet some clues from doing shorewall start; iptables -S > /tmp/shorewall_on shorewall clear; iptables -S > /tmp/shorewall_clear diff /tmp/shorewall_on /tmp/shorewall_clear On 2025-03-20 06:23, Simon Matter wrote: >> Thanks Matt. >> >> Yes - if I do a shorewall clear, it's possible to access the host from >> inside the docker container. The >> default docker iptables config seems to support this. However, when I >> enable shorewall (with docker >> support), it's not possible. >> >> It really seems like some interaction between the docker iptables >> functionality and the shorewall >> iptables functionality is causing the problem and more specifically, on >> the return path from the service >> running on the host to the docker container. > Maybe you have to configure docker so that it doesn't fiddle with the > iptables config? > > Simon > >> It could be something of an edge case as mostly the point of having >> containers is to have (some) >> isolation from the host but we think it prob should be possible to eg >> access stuff from inside the >> containers which is accessible from anywhere on the internet. >> >> Thanks for any insights. >> >> BR, >> Sean. >> >> __________________________________ >> Sean Murphy >> Senior Platform Engineer >> sean.mur...@datahouse.ch >> T +41 44 289-84-22 >> www.datahouse.ch >> Linkedin | YouTube >> __________________________________ >> >> >> ________________________________________ >> From: Matt Darfeuille <m...@shorewall.org> >> Sent: Wednesday, March 19, 2025 8:19 PM >> To: shorewall-users@lists.sourceforge.net >> <shorewall-users@lists.sourceforge.net> >> Subject: Re: [Shorewall-users] Problems accessing host from docker >> container running on host >> >> [You don't often get email from m...@shorewall.org. Learn why this is >> important at https://aka.ms/LearnAboutSenderIdentification ] >> >> On 3/19/25 10:49, Sean Murphy via Shorewall-users wrote: >>> Hi all,, >>> >>> We have been (ab)using shorewall for some years now and we're v happy >>> with it - >>> thanks everyone and Tom in particular for such a great tool. >>> >>> We have been using it to manage security for a set of VMs running >>> applications >>> with docker-compose. Almost all of our hosts have a single external >>> network >>> interface; this is perhaps not the use case for which shorewall was >>> designed >>> but it has been working for us so far. >>> >>> We now have a scenario which is proving more difficult: we want to >>> access a >>> service running on a host from within a container. >>> >>> We have tried the most open configuration possible - a policy with >>> all:all >>> ACCEPT and no rules; it seems the service is accessible from anywhere >>> except >>> inside the docker container. >>> >>> Accessing the service from inside the container results in timeouts, so >>> presumably >>> the packets are being dropped somewhere. We tried ping, ssh (on standard >>> ports) >>> and an http service running on a high port number. >>> >>> Zone configuration: >>> root@dhit-disposable01:/etc/shorewall# cat zones >>> ############################################################################### >>> #ZONE TYPE OPTIONS >>> IN OUT >>> # >>> OPTIONS OPTIONS >>> fw firewall >>> net ipv4 >>> dock ipv4 >>> >>> Interface configuration: >>> root@dhit-disposable01:/etc/shorewall# cat interfaces >>> ############################################################################### >>> ?FORMAT 2 >>> ############################################################################### >>> #ZONE INTERFACE OPTIONS >>> net eth physical=eth+,dhcp,nosmurfs >>> net en physical=en+,dhcp,nosmurfs >>> dock docker0 physical=docker+,routeback=1 >>> dock br physical=br-+,routeback=1 >>> >>> Policy configuration: >>> root@dhit-disposable01:/etc/shorewall# cat policy >>> #SOURCE DEST POLICY LOGLEVEL LIMIT >>> all all ACCEPT >>> >>> Rules configuration: >>> root@dhit-disposable01:/etc/shorewall# cat rules >>> #ACTION SOURCE DEST PROTO DPORT >>> # No rules >>> >>> Docker configuration as per shorewall.conf >>> root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf >>> # Default shorewall config, except for DOCKER=Yes (and this comment). >>> DOCKER=Yes >>> DOCKER_BRIDGE=docker0 >>> >>> I did shorewall compile, safe-reload and then restarted the docker >>> deamon but >>> the packets still seem to be being dropped. I tried iptables-tracer [1] >>> to get some >>> info on where they disappear and it seems packets are being dropped on >>> the >>> return path. >> If you do a `shorewall clear`, does it work at all? >> >> >> Note that the project is unmaintained. >> >> -- >> Matt Darfeuille <m...@shorewall.org> >> Unmaintained project, no more releases or bug fixes >> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
