irsl / dfwfw Goto Github PK
View Code? Open in Web Editor NEWDocker Firewall Framework
Docker Firewall Framework
Great project, I've started trying to get it working and am slowly making progress..
I've tried using the array version of expose_port to redirect port 2500 on the host to port 25 on the container, and get an error:
ERROR: Invalid expose_port node at /opt/dfwfw/DFWFW/Config.pm line 92.
in:
$VAR1 = {
'expose_port' => {
'family' => 'tcp',
'container_port' => '25',
'host_port' => '2500'
},
'network-ref' => {
'value' => 'bridge',
'op' => '==',
'field' => 'Name',
'opcb' => sub { "DUMMY" }
},
'dst_container' => 'postfix',
'node' => {
'no' => 1
},
'network' => 'bridge',
'filter' => ''
};
This is the config block:
{
"network": "bridge",
"dst_container": "postfix",
"expose_port": { "host_port": "2500", "container_port": "25", "family": "tcp" }
}
I've tried it with and without the family key.
Docker 17.04.0-ce introduced a breaking change in that the /networks
endpoint no longer returns the containers attached to the networks but rather an empty dict ({}
). You now have to request the containers for every network specifically on the /networks/<network-name>
endpoint.
See:
I am fairly certain that this change is hitting DFWFW, since I had no success of getting container-related rules generated under 17.04.0-ce, but experienced no isssues under 17.03.1-ce.
Two solutions (rather one solution and one work-around) I can think of:
Request the containers for every network specifically, conforming to the new expected behaviour.
Specify the API-version to use as 1.27
or below in dfwfw.pl#L118 similar to what is already done in WebService::Docker::Info.
This might have a change of breaking in the future, I am not sure how the Docker developers handle a deprecation like this.
I have not tried either of the possibilities, especially since I'm not really firm with Perl.
when you use some tool like 'vi' to update the file. Inode is changed and container don't show modification
Mount directory instead
Write in readme that this repo use submodule.
and git clone is not sufficient
git clone --recursive git://github.com/foo/bar.git
Hello !
I've 2 wan ports (eth0 and eth1) on host, requests to containers comes from both, but in "external_network_interface" I can setup only one. Can I remove info about int at all ?
was:
#1: host:80 -> nginx_1:80 / tcp
-A DFWFW_PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
will:
#1: host:80 -> nginx_1:80 / tcp
-A DFWFW_PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
How to expose a container to my vpn only?
My current configuration:
This confiugration exposes the container to the public, while from the vpn it seems irrangiungible.
{
"initialization": {
"filter": [
":DFWFW_INPUT - [0:0]",
":HOST_OUTBOUND - [0:0]",
":HOST_INCOMING - [0:0]",
"-P INPUT DROP",
"-F INPUT",
"-A INPUT -m state --state INVALID -j DROP",
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A INPUT -j DFWFW_INPUT",
"-A INPUT -m state --state NEW -j HOST_INCOMING",
"-F HOST_INCOMING",
"-A HOST_INCOMING -p tcp -s 10.8.3.0/24 -dport 22 -j ACCEPT",
"-A HOST_INCOMING -p icmp -j ACCEPT",
"-P OUTPUT DROP",
"-F OUTPUT",
"-A OUTPUT -m state --state INVALID -j DROP",
"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A OUTPUT -m state --state NEW -j HOST_OUTBOUND",
"-F HOST_OUTBOUND",
"-A HOST_OUTBOUND -p icmp -j ACCEPT",
"-P FORWARD DROP"
]
},
"container_to_container": {
"default_policy": "ACCEPT"
},
"container_to_wider_world": {
"default_policy": "ACCEPT"
},
"container_to_host": {
"default_policy": "ACCEPT"
},
"wider_world_to_container": {
"rules": [
{
"network": "bridge",
"dst_container": "nginx",
"filter": "-s 10.8.0.205",
"expose_port": 8080
}
]
}
}
The file "filter": "-s 10.8.0.205"
seems not working.
I'm trying to create rule that matches any container.
It looks like:
{
"dst_container": "Name =~ .*",
"network": "cadnet"
},
But it shoots only after at least two containers in network cadnet was created.
I.e. it does not work if there is only one container in target network.
Hopefully this is another error/oversight on my end..
I'm using the basic example initialization block, just added a line for inbound NTP:
"initialization": {
"filter": [
":DFWFW_INPUT - [0:0]",
":HOST_OUTBOUND - [0:0]",
":HOST_INCOMING - [0:0]",
"-P INPUT DROP",
"-F INPUT",
"-A INPUT -m state --state INVALID -j DROP",
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A INPUT -j DFWFW_INPUT",
"-A INPUT -m state --state NEW -j HOST_INCOMING",
"-F HOST_INCOMING",
"-A HOST_INCOMING -p tcp --dport 22 -j ACCEPT",
"-A HOST_INCOMING -p icmp -j ACCEPT",
"-P OUTPUT DROP",
"-F OUTPUT",
"-A OUTPUT -m state --state INVALID -j DROP",
"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A OUTPUT -m state --state NEW -j HOST_OUTBOUND",
"-F HOST_OUTBOUND",
"-A HOST_OUTBOUND -p udp --dport 53 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 80 -j ACCEPT",
"-A HOST_OUTBOUND -p udp --dport 123 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 443 -j ACCEPT",
"-A HOST_OUTBOUND -p icmp -j ACCEPT",
"-P FORWARD DROP"
]
},
None of the HOST_INCOMING or HOST_OUTBOUND port specific rules end up in iptables, and the default policy for INPUT and OUTPUT stay as ACCEPT instead of DROP. I also don't see the HOST_INCOMING or HOST_OUTBOUND chains at all. I'll paste my iptables-save output at the bottom of the ticket. My config at this point is just the initialization block, container_to_wider_world and container_to_host with a default policy of ACCEPT, and the two container port forwards from my previous issue.
# Generated by iptables-save v1.4.21 on Wed Dec 30 19:51:26 2015
*nat
:PREROUTING ACCEPT [57:3644]
:INPUT ACCEPT [22:1069]
:OUTPUT ACCEPT [34:2417]
:POSTROUTING ACCEPT [14:692]
:DFWFW_POSTROUTING - [0:0]
:DFWFW_PREROUTING - [0:0]
-A PREROUTING -j DFWFW_PREROUTING
-A POSTROUTING -j DFWFW_POSTROUTING
-A DFWFW_POSTROUTING -o eth0 -j MASQUERADE
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.17.0.2:25
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 2500 -j DNAT --to-destination 172.17.0.2:25
COMMIT
# Completed on Wed Dec 30 19:51:26 2015
# Generated by iptables-save v1.4.21 on Wed Dec 30 19:51:26 2015
*filter
:INPUT ACCEPT [690:199320]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [528:200092]
:DFWFW_FORWARD - [0:0]
:DFWFW_INPUT - [0:0]
-A INPUT -j DFWFW_INPUT
-A FORWARD -j DFWFW_FORWARD
-A DFWFW_FORWARD -m state --state INVALID -j DROP
-A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DFWFW_FORWARD -j DROP
-A DFWFW_INPUT -i docker0 -j ACCEPT
COMMIT
# Completed on Wed Dec 30 19:51:26 2015
Could not start the dfwfw container when i try
docker run
--name=dfwfw -d
-v /var/run/docker.sock:/var/run/docker.sock
-v /path/to/your/dfwfw.conf:/etc/dfwfw/dfwfw.conf
--net=host
--cap-add=NET_ADMIN
dfwfw
Can't locate WebService/Docker/API.pm in @inc (you may need to install the WebService::Docker::API module) (@inc contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl . /opt/dfwfw /opt/dfwfw/WebServiceDocker /opt/dfwfw/ConfigHostsFile /opt/dfwfw/PreJSON) at /opt/dfwfw/dfwfw.pl line 14.
BEGIN failed--compilation aborted at /opt/dfwfw/dfwfw.pl line 14.
I want to forward a port from one container to another. I did something like this:
"container_dnat": {
"rules": [
{
"filter": "-p tcp --dport 5001",
"src_network": "bridge",
"src_container": "src",
"dst_network": "bridge",
"dst_container": "dst",
"expose_port": "5001/tcp"
}
]
}
I have a server listening on dst:5001 and I want to connect at src:5001 from inside src. The above does not work. What changes should I do to get it working?
Moreover, I see these rules generated by dfwfw:
-A DFWFW_PREROUTING -i docker0 -p tcp -m tcp --dport 5001 -j DNAT --to-destination 172.17.0.3:5001
-A DFWFW_FORWARD -s 172.17.0.2/32 -d 172.17.0.3/32 -i docker0 -o docker0 -p tcp -m tcp --dport 5001 -j ACCEPT
What am I missing?
How to use this with ferm?
Just leave the docker container running in background and it will
notice + correct any iptable rules ferm has reset?
Hi, I wonder if you could point me in the right direction here. I'm unable to get any of my config files applied to ipables, even the most simple examples all seem to give me the same errors relating to initializing "Error occurred at line: 2".
My server is running openvpn and I basically want to lock down external access basically making this an intranet group of contaners. But docker wants things public which brings me here. Its worth mentioning that all this worked fine before I turned off iptable support for docker, which is a prerequisite for this I gather. My openvpn server is also confirmed to be working.
Here's an extract of the errors...
docker_firewall | COMMIT
docker_firewall |
docker_firewall |
docker_firewall | [Wed Jan 9 17:53:23 2019] ERROR: iptables-restore v1.4.21: iptables-restore: unable to initialize table 'filter'
docker_firewall |
docker_firewall | Error occurred at line: 2
docker_firewall | Try `iptables-restore -h' or 'iptables-restore --help' for more information.
docker_firewall |
docker_firewall | [Wed Jan 9 17:53:23 2019] commiting to nat table:
docker_firewall |
docker_firewall | *nat
docker_firewall | ################ DFWFW_PREROUTING head:
docker_firewall | -F DFWFW_PREROUTING
docker_firewall |
docker_firewall | ################ wider_world_to_container:
docker_firewall | # #1: host:80 -> nginx:80 / tcp
docker_firewall | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -s 91.234.214.2 -j DNAT --to-destination 172.18.0.3:80
docker_firewall | # #2: host:443 -> nginx:443 / tcp
docker_firewall | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -s 91.234.214.2 -j DNAT --to-destination 172.18.0.3:443
docker_firewall | # #3: host:80 -> nginx:80 / tcp
docker_firewall | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -s 81.140.34.59 -j DNAT --to-destination 172.18.0.3:80
docker_firewall | # #4: host:443 -> nginx:443 / tcp
docker_firewall | -A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -s 81.140.34.59 -j DNAT --to-destination 172.18.0.3:443
docker_firewall |
docker_firewall |
docker_firewall |
docker_firewall | COMMIT
docker_firewall |
docker_firewall |
docker_firewall | [Wed Jan 9 17:53:23 2019] ERROR: iptables-restore v1.4.21: iptables-restore: unable to initialize table 'nat'
Docker version 18.09.0, build 4d60db4
Debian GNU/Linux 9 \n \l
docker-compose version 1.23.2, build 1110ad01
dfwfw.conf: -
{ "wider_world_to_container": { "rules": [ { "network": "sd_services", "dst_container": "nginx", "filter": "-s 81.140.34.52", "expose_port": 80 }, { "network": "sd_services", "dst_container": "nginx", "filter": "-s 81.140.34.52", "expose_port": 443 } ] }, "container_to_wider_world": { "default_policy": "ACCEPT" }, "container_to_container": { "rules": [ { "network": "sd_services", "src_container": "nginx", "dst_container": "somecontainer", "filter": "-p tcp --dport 80 -m state --state NEW", "action": "ACCEPT" }, { "network": "sd_services", "src_container": "somecontainer", "dst_container": "mariadb", "filter": "-p tcp --dport 3306 -m state --state NEW", "action": "ACCEPT" } ] } }
I've disabled iptables on docker without issue by editing /etc/docker/daemon.json and restarting the server. Something of note is that I'm using ufw firewall and have one post routing entry for my before route which allows me to use myopen vpn server
`# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
`
I can't say I know a great deal about iptables, which is why I was hoping to get your nice container to do this for me. I don't suppose you have any suggestions?
I used the pull request to get your container 'docker pull irsl/dfwfw' but it shows it was updated 20 months ago. Is that right?
Many thanks for any advice you might have!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.