![]() ![]() After running a few containers, you end up with your iptables rules looking like the following: Chain INPUT (policy ACCEPT 99M packets, 99G bytes) However, when installing Docker using the official documentation as a guide, you end up with some pretty ugly iptables rules: docker creates a virtual interface, docker0, as well as a new interface for every container that is running. I am not running to “dockerize everything” and run “100% on containers” like some others, but if I were to calculate the percentage of services I run on it, it would be pretty high. Now what “properly” is, I leave to you.įor this reason, I am currently using Docker in as many places as I can, and of course, as many servers as needed. In my opinion, Docker is a very useful and powerful tool that solves a lot of problems if used properly. The past few years however, a new piece of software, called Docker, became really popular, and currently has millions of installations for either development, testing, or production. Although not as beginner friendly as others, and with many wrappers (like ufw), iptables is all you need to run a firewall on the server. Make no mistake: I know it won’t save me from everything, but it’s a good start.ĭebian, the operating system in almost all of my servers, has a very powerful tool included: iptables. I try to set up a firewall on the server (or any other intermediary routers) in addition to the one that may be available by the provider. That means an issue in the provider firewall (if there’s such a thing at all), won’t easily affect them, assuming the rules of course are correct. ![]() In order to increase the cost for an attacker, some people go one step further, “defense in depth” they call it, and set up a firewall on the actual server, too. Amazon and Google have done a great work in pushing people to use them in their clouds, but often that’s not enough. Running a firewall and managing it adds overhead to the server administration and most people either ignore it, or use their provider’s firewall. Not only for those with a Public IP Address, for any server. Having a firewall is something that’s necessary, in my opinion, for every server. Ip daddr != 127.0.0.Debian Firewall when using Docker January 2, 2017 Ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER Type nat hook output priority -100 policy accept Type nat hook prerouting priority dstnat policy accept įib daddr type local counter packets 1 bytes 60 jump DOCKERįib daddr type local counter packets 0 bytes 0 jump DOCKER Oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade Type nat hook postrouting priority srcnat policy accept ![]() Iifname "docker0" counter packets 0 bytes 0 return Type filter hook output priority filter policy accept Type filter hook forward priority filter policy accept Type filter hook input priority filter policy accept # iptables-restore-translate -f iptables-ruleset.txt > ruleset.nft # Translated by iptables-restore-translate v1.8.7 on Wed Mar 16 22:06:32 2022Īdd chain ip filter INPUT Īdd rule ip nat PREROUTING fib daddr type local counter jump DOCKERĪdd rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKERĪdd rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/16 counter masqueradeĪdd rule ip nat DOCKER iifname "docker0" counter return # iptables-restore-translate -f iptables-ruleset.txt Whole rule sets can also be translated, in this case we migrate the rules configured in one computer which has Docker installed: The iptables-translate and ip6tables-translate commands can be used to translate old iptables commands into the new nftables syntax. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |