Skip to content

Firewalld and docker forwarding ports

Initial state

Docker configured by defaults, without option: iptables=false Container started with exposed ports: 

docker ps | grep gitea
b4757ccd087e   gitea/gitea:latest   "/usr/bin/entrypoint…"   36 hours ago   Up 17 minutes   127.0.0.1:3000->3000/tcp, 0.0.0.0:2222->22/tcp, :::2222->22/tcp   gitea


netstat -plnt | grep 2222
root@h2:/etc/docker# netstat -plnt | grep 2222
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      4189864/docker-prox 
tcp6       0      0 :::2222                 :::*                    LISTEN      4189872/docker-prox

Firewalld configured with iptables. Firewalld public zone don't allow connection to 2222 by design, only from trusted zone: 

# firewall-cmd --get-active-zones
public
  interfaces: eth0
trusted
  sources: MY-HOME-NETWORK-IP/32 


# firewall-cmd --list-all --zone=public
public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# firewall-cmd --list-all --zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: MY-HOME-NETWORK-IP/32
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Issue

Port 2222 is open on public host interface and not blocked for all.

Description

Iptable NAT forwarding table allow traffic, because rules for eth0 in INPUT table will be not used.

Solution A

Set option in docker daemon config: 

# grep iptables /etc/docker/daemon.json 
  "iptables":false,

Profit: * Port 2222 on
Negatives results: * No internet inside containers