From 306fc455aa766038da0a173b483dc6f49d5d7ef4 Mon Sep 17 00:00:00 2001 From: "Oliver G. Mueller" Date: Fri, 6 Mar 2026 12:24:45 +0100 Subject: [PATCH 1/2] fixed change due to new Docker version 29.3.0 introducing DOCKER-INTERNAL --- roles/iptables-docker/files/awk.firewall | 72 ++++++++++++++---------- 1 file changed, 43 insertions(+), 29 deletions(-) diff --git a/roles/iptables-docker/files/awk.firewall b/roles/iptables-docker/files/awk.firewall index c341fa1..4ce3f49 100644 --- a/roles/iptables-docker/files/awk.firewall +++ b/roles/iptables-docker/files/awk.firewall @@ -1,31 +1,45 @@ { - if ( $0 ~ /^*/ ) { - in_nat=0 - in_filter=0 - } - if ( $0 ~ /^*filter/ ) { - in_filter=1 - in_nat=0 - print "*filter" - print ":DOCKER-USER - [0:0]" - print ":DOCKER - [0:0]" - print ":DOCKER-INGRESS - [0:0]" - print ":DOCKER-ISOLATION-STAGE-2 - [0:0]" - print ":DOCKER-ISOLATION-STAGE-1 - [0:0]" - print ":FORWARD DROP [0:0]" - } - if ( $0 ~ /^*nat/ ) { - in_nat=1 - in_filter=0 - print "*nat" - print ":PREROUTING ACCEPT [0:0]" - print ":OUTPUT ACCEPT [0:0]" - print ":POSTROUTING ACCEPT [0:0]" - print ":DOCKER - [0:0]" - print ":DOCKER-INGRESS - [0:0]" - } - if (in_nat==1 && ($3 ~ /^(POSTROUTING|PREROUTING|DOCKER|DOCKER-INGRESS|OUTPUT)$/)) {print $0} - if (in_filter==1 && ($3 ~ /^(FORWARD|DOCKER-ISOLATION-STAGE-1|DOCKER-ISOLATION-STAGE-2|DOCKER|DOCKER-INGRESS|DOCKER-USER)$/)) {print $0} - if (in_nat==1 && $0 ~ /^COMMIT/ ) {print "COMMIT"} - if (in_filter==1 && $0 ~ /^COMMIT/ ) {print "COMMIT"} + if ( $0 ~ /^*/ ) { + in_nat=0 + in_filter=0 + } + if ( $0 ~ /^*filter/ ) { + in_filter=1 + in_nat=0 + print "*filter" + print ":DOCKER-USER - [0:0]" + print ":DOCKER - [0:0]" + print ":DOCKER-BRIDGE - [0:0]" + print ":DOCKER-CT - [0:0]" + print ":DOCKER-FORWARD - [0:0]" + print ":DOCKER-INGRESS - [0:0]" + print ":DOCKER-INTERNAL - [0:0]" + print ":FORWARD DROP [0:0]" + } + if ( $0 ~ /^*nat/ ) { + in_nat=1 + in_filter=0 + print "*nat" + print ":PREROUTING ACCEPT [0:0]" + print ":OUTPUT ACCEPT [0:0]" + print ":POSTROUTING ACCEPT [0:0]" + print ":DOCKER - [0:0]" + print ":DOCKER-INGRESS - [0:0]" + } + if (in_nat==1 && ($3 ~ /^(POSTROUTING|PREROUTING|DOCKER|DOCKER-INGRESS|OUTPUT)$/)) {print $0} + if (in_filter==1) { + if ($3 ~ /^(DOCKER-INTERNAL|DOCKER|DOCKER-BRIDGE|DOCKER-CT|DOCKER-FORWARD|DOCKER-INGRESS|DOCKER-USER)$/) { + print $0 + } else if ($5 ~ /^(DOCKER|DOCKER-BRIDGE|DOCKER-CT|DOCKER-FORWARD|DOCKER-INGRESS|DOCKER-USER)$/) { + print $0 + } else { + if ($7 ~ /^DOCKER$/) { + bridge=$5 + print last_line + } + if (length(bridge) >0 && $5 == bridge) { + print $0 + } + } + } } From 42391199ce9b4f59dc99f28ff6c2af1e4cc71c51 Mon Sep 17 00:00:00 2001 From: "Oliver G. Mueller" Date: Fri, 6 Mar 2026 12:24:56 +0100 Subject: [PATCH 2/2] fixed change due to new Docker version 29.3.0 introducing DOCKER-INTERNAL --- README.md | 362 ++++++++++++++++++++++++++++++----------------- src/awk.firewall | 5 +- 2 files changed, 235 insertions(+), 132 deletions(-) diff --git a/README.md b/README.md index ae426de..c9c4a37 100644 --- a/README.md +++ b/README.md @@ -30,39 +30,63 @@ Docker is utilizing the iptables "nat" to resolve packets from and to its contai sudo iptables -L Chain INPUT (policy ACCEPT) -target prot opt source destination +target prot opt source destination Chain FORWARD (policy DROP) -target prot opt source destination -DOCKER-USER all -- anywhere anywhere -DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere -ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED -DOCKER all -- anywhere anywhere -ACCEPT all -- anywhere anywhere -ACCEPT all -- anywhere anywhere +target prot opt source destination +DOCKER-USER all -- anywhere anywhere +DOCKER-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) -target prot opt source destination +target prot opt source destination + +Chain DOCKER (6 references) +target prot opt source destination +DROP all -- anywhere anywhere +DROP all -- anywhere anywhere +DROP all -- anywhere anywhere +DROP all -- anywhere anywhere +DROP all -- anywhere anywhere +DROP all -- anywhere anywhere + +Chain DOCKER-BRIDGE (1 references) +target prot opt source destination +DOCKER all -- anywhere anywhere +DOCKER all -- anywhere anywhere +DOCKER all -- anywhere anywhere +DOCKER all -- anywhere anywhere +DOCKER all -- anywhere anywhere +DOCKER all -- anywhere anywhere + +Chain DOCKER-CT (1 references) +target prot opt source destination +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED -Chain DOCKER (1 references) -target prot opt source destination +Chain DOCKER-FORWARD (1 references) +target prot opt source destination +DOCKER-CT all -- anywhere anywhere +DOCKER-INTERNAL all -- anywhere anywhere +DOCKER-BRIDGE all -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere Chain DOCKER-INGRESS (0 references) -target prot opt source destination +target prot opt source destination -Chain DOCKER-ISOLATION-STAGE-1 (1 references) -target prot opt source destination -DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere -RETURN all -- anywhere anywhere - -Chain DOCKER-ISOLATION-STAGE-2 (1 references) -target prot opt source destination -DROP all -- anywhere anywhere -RETURN all -- anywhere anywhere +Chain DOCKER-INTERNAL (1 references) +target prot opt source destination Chain DOCKER-USER (1 references) -target prot opt source destination -RETURN all -- anywhere anywhere +target prot opt source destination ``` now for example we have the need to expose our nginx container to the world: @@ -88,7 +112,7 @@ curl -v http://192.168.25.200:8080 > Host: 192.168.25.200:8080 > User-Agent: curl/7.68.0 > Accept: */* -> +> * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx/1.21.1 @@ -99,7 +123,7 @@ curl -v http://192.168.25.200:8080 < Connection: keep-alive < ETag: "60e46fc5-264" < Accept-Ranges: bytes -< +< @@ -134,7 +158,7 @@ iptables -L ... Chain DOCKER (1 references) -target prot opt source destination +target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http ... ``` @@ -144,55 +168,85 @@ a new rule is appeared, but is not the only rule added to our chains. To get a more detailed view of our iptables chain we can dump the full iptables rules with *iptables-save*: ``` -# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 *mangle -:PREROUTING ACCEPT [33102:3022248] -:INPUT ACCEPT [33102:3022248] +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [33514:4701594] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [32349:12119113] -:POSTROUTING ACCEPT [32357:12120329] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:FWKNOP_NFQ - [0:0] +[33514:4701594] -A INPUT -j FWKNOP_NFQ +[0:0] -A FWKNOP_NFQ -i br0 -p udp -m udp --dport 12210 -j NFQUEUE --queue-num 1 COMMIT -# Completed on Thu Oct 14 12:32:46 2021 -# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021 -*nat -:PREROUTING ACCEPT [1:78] -:INPUT ACCEPT [1:78] -:OUTPUT ACCEPT [13:1118] -:POSTROUTING ACCEPT [13:1118] -:DOCKER - [0:0] -:DOCKER-INGRESS - [0:0] --A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER --A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE --A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE --A DOCKER -i docker0 -j RETURN --A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 +*raw +:PREROUTING ACCEPT [57595:26221084] +:OUTPUT ACCEPT [0:0] COMMIT -# Completed on Thu Oct 14 12:32:46 2021 -# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021 +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 *filter -:INPUT ACCEPT [4758:361293] +:INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [4622:357552] +:OUTPUT ACCEPT [0:0] :DOCKER - [0:0] +:DOCKER-BRIDGE - [0:0] +:DOCKER-CT - [0:0] +:DOCKER-FORWARD - [0:0] :DOCKER-INGRESS - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] :DOCKER-USER - [0:0] --A FORWARD -j DOCKER-USER --A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o docker0 -j DOCKER --A FORWARD -i docker0 ! -o docker0 -j ACCEPT --A FORWARD -i docker0 -o docker0 -j ACCEPT --A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP --A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER -j RETURN +[0:0] -A FORWARD -j DOCKER-USER +[0:0] -A FORWARD -j DOCKER-FORWARD +[0:0] -A DOCKER ! -i br-baef2cb29018 -o br-baef2cb29018 -j DROP +[0:0] -A DOCKER ! -i br-e5b29bd951c3 -o br-e5b29bd951c3 -j DROP +[0:0] -A DOCKER ! -i br-4d0679d79983 -o br-4d0679d79983 -j DROP +[0:0] -A DOCKER ! -i br-a5cd193ce8e6 -o br-a5cd193ce8e6 -j DROP +[0:0] -A DOCKER ! -i br-b8d6b06b61ae -o br-b8d6b06b61ae -j DROP +[0:0] -A DOCKER ! -i docker0 -o docker0 -j DROP +[0:0] -A DOCKER-BRIDGE -o br-baef2cb29018 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-e5b29bd951c3 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-4d0679d79983 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-a5cd193ce8e6 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-b8d6b06b61ae -j DOCKER +[0:0] -A DOCKER-BRIDGE -o docker0 -j DOCKER +[0:0] -A DOCKER-CT -o br-baef2cb29018 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-e5b29bd951c3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-4d0679d79983 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-a5cd193ce8e6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-b8d6b06b61ae -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-FORWARD -j DOCKER-CT +[0:0] -A DOCKER-FORWARD -j DOCKER-INTERNAL +[0:0] -A DOCKER-FORWARD -j DOCKER-BRIDGE +[0:0] -A DOCKER-FORWARD -i br-baef2cb29018 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-e5b29bd951c3 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-4d0679d79983 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-a5cd193ce8e6 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-b8d6b06b61ae -j ACCEPT +[0:0] -A DOCKER-FORWARD -i docker0 -j ACCEPT +COMMIT +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 +*nat +:PREROUTING ACCEPT [11:1139] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [1:48] +:POSTROUTING ACCEPT [1:48] +:DOCKER - [0:0] +:DOCKER-INGRESS - [0:0] +[0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-e5b29bd951c3 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.20.0.0/16 ! -o br-a5cd193ce8e6 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.25.0.0/16 ! -o br-baef2cb29018 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-b8d6b06b61ae -j MASQUERADE +[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-4d0679d79983 -j MASQUERADE COMMIT -# Completed on Thu Oct 14 12:32:46 2021 +# Completed on Fri Mar 6 12:16:37 2026 ``` in our dump we can see some other rules added by docker: @@ -200,34 +254,55 @@ in our dump we can see some other rules added by docker: **DOCKER-INGRESS (nat table)** ``` --A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE --A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE --A DOCKER -i docker0 -j RETURN --A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 +[0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-e5b29bd951c3 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.20.0.0/16 ! -o br-a5cd193ce8e6 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.25.0.0/16 ! -o br-baef2cb29018 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-b8d6b06b61ae -j MASQUERADE +[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-4d0679d79983 -j MASQUERADE ``` **DOCKER-USER (filter table)** ``` --A FORWARD -j DOCKER-USER --A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o docker0 -j DOCKER --A FORWARD -i docker0 ! -o docker0 -j ACCEPT --A FORWARD -i docker0 -o docker0 -j ACCEPT --A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP --A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER -j RETURN +[0:0] -A FORWARD -j DOCKER-USER +[0:0] -A FORWARD -j DOCKER-FORWARD +[0:0] -A DOCKER ! -i br-baef2cb29018 -o br-baef2cb29018 -j DROP +[0:0] -A DOCKER ! -i br-e5b29bd951c3 -o br-e5b29bd951c3 -j DROP +[0:0] -A DOCKER ! -i br-4d0679d79983 -o br-4d0679d79983 -j DROP +[0:0] -A DOCKER ! -i br-a5cd193ce8e6 -o br-a5cd193ce8e6 -j DROP +[0:0] -A DOCKER ! -i br-b8d6b06b61ae -o br-b8d6b06b61ae -j DROP +[0:0] -A DOCKER ! -i docker0 -o docker0 -j DROP +[0:0] -A DOCKER-BRIDGE -o br-baef2cb29018 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-e5b29bd951c3 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-4d0679d79983 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-a5cd193ce8e6 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-b8d6b06b61ae -j DOCKER +[0:0] -A DOCKER-BRIDGE -o docker0 -j DOCKER +[0:0] -A DOCKER-CT -o br-baef2cb29018 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-e5b29bd951c3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-4d0679d79983 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-a5cd193ce8e6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-b8d6b06b61ae -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-FORWARD -j DOCKER-CT +[0:0] -A DOCKER-FORWARD -j DOCKER-INTERNAL +[0:0] -A DOCKER-FORWARD -j DOCKER-BRIDGE +[0:0] -A DOCKER-FORWARD -i br-baef2cb29018 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-e5b29bd951c3 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-4d0679d79983 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-a5cd193ce8e6 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-b8d6b06b61ae -j ACCEPT +[0:0] -A DOCKER-FORWARD -i docker0 -j ACCEPT ``` to explore in detail how iptables and docker work: * Docker [docs](https://docs.docker.com/network/iptables/) * Docker forum [question](https://forums.docker.com/t/understanding-iptables-rules-added-by-docker/77210) -* [gist](https://gist.github.com/x-yuri/abf90a18895c62f8d4c9e4c0f7a5c188) from x-yuri +* [gist](https://gist.github.com/x-yuri/abf90a18895c62f8d4c9e4c0f7a5c188) from x-yuri * argus-sec.com [post](https://argus-sec.com/docker-networking-behind-the-scenes/) ### The problem @@ -272,8 +347,7 @@ for table nat: for table filter: * FORWARD -* DOCKER-ISOLATION-STAGE-1 -* DOCKER-ISOLATION-STAGE-2 +* DOCKER-INTERNAL * DOCKER * DOCKER-INGRESS * DOCKER-USER @@ -284,7 +358,7 @@ for table filter: **NOTE** this kind of install use a static file (src/iptables-docker.sh). By default **only** ssh access to local machine is allowd. To allow specific traffic you have to edit manually this file with your own rules: -``` +``` # Other firewall rules # insert here your firewall rules $IPT -A INPUT -p tcp --dport 1234 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT @@ -295,7 +369,7 @@ for table filter: To install iptables-docker on a local machine, clone this repository and run *sudo sh install.sh* ``` -sudo sh install.sh +sudo sh install.sh Set iptables to iptables-legacy Disable ufw,firewalld @@ -337,7 +411,7 @@ To start the service use: ``` sudo systemctl start iptables-docker -or +or sudo iptables-docker.sh start ``` @@ -347,7 +421,7 @@ To stop the srevice use: ``` sudo systemctl stop iptables-docker -or +or sudo iptables-docker.sh stop ``` @@ -359,55 +433,85 @@ Now if you turn off the firewall with *sudo systemctl stop iptables-docker* and ``` sudo iptables-save -# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 *mangle -:PREROUTING ACCEPT [346:23349] -:INPUT ACCEPT [346:23349] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [340:24333] -:POSTROUTING ACCEPT [340:24333] -COMMIT -# Completed on Thu Oct 14 15:52:30 2021 -# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021 -*nat :PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] +:INPUT ACCEPT [33514:4701594] +:FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -:DOCKER - [0:0] -:DOCKER-INGRESS - [0:0] --A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER --A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE --A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE --A DOCKER -i docker0 -j RETURN --A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 +:FWKNOP_NFQ - [0:0] +[33514:4701594] -A INPUT -j FWKNOP_NFQ +[0:0] -A FWKNOP_NFQ -i br0 -p udp -m udp --dport 12210 -j NFQUEUE --queue-num 1 +COMMIT +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 +*raw +:PREROUTING ACCEPT [57595:26221084] +:OUTPUT ACCEPT [0:0] COMMIT -# Completed on Thu Oct 14 15:52:30 2021 -# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021 +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 *filter -:INPUT ACCEPT [357:24327] +:INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [355:26075] +:OUTPUT ACCEPT [0:0] :DOCKER - [0:0] +:DOCKER-BRIDGE - [0:0] +:DOCKER-CT - [0:0] +:DOCKER-FORWARD - [0:0] :DOCKER-INGRESS - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] :DOCKER-USER - [0:0] --A FORWARD -j DOCKER-USER --A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o docker0 -j DOCKER --A FORWARD -i docker0 ! -o docker0 -j ACCEPT --A FORWARD -i docker0 -o docker0 -j ACCEPT --A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP --A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER -j RETURN +[0:0] -A FORWARD -j DOCKER-USER +[0:0] -A FORWARD -j DOCKER-FORWARD +[0:0] -A DOCKER ! -i br-baef2cb29018 -o br-baef2cb29018 -j DROP +[0:0] -A DOCKER ! -i br-e5b29bd951c3 -o br-e5b29bd951c3 -j DROP +[0:0] -A DOCKER ! -i br-4d0679d79983 -o br-4d0679d79983 -j DROP +[0:0] -A DOCKER ! -i br-a5cd193ce8e6 -o br-a5cd193ce8e6 -j DROP +[0:0] -A DOCKER ! -i br-b8d6b06b61ae -o br-b8d6b06b61ae -j DROP +[0:0] -A DOCKER ! -i docker0 -o docker0 -j DROP +[0:0] -A DOCKER-BRIDGE -o br-baef2cb29018 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-e5b29bd951c3 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-4d0679d79983 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-a5cd193ce8e6 -j DOCKER +[0:0] -A DOCKER-BRIDGE -o br-b8d6b06b61ae -j DOCKER +[0:0] -A DOCKER-BRIDGE -o docker0 -j DOCKER +[0:0] -A DOCKER-CT -o br-baef2cb29018 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-e5b29bd951c3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-4d0679d79983 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-a5cd193ce8e6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o br-b8d6b06b61ae -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +[0:0] -A DOCKER-FORWARD -j DOCKER-CT +[0:0] -A DOCKER-FORWARD -j DOCKER-INTERNAL +[0:0] -A DOCKER-FORWARD -j DOCKER-BRIDGE +[0:0] -A DOCKER-FORWARD -i br-baef2cb29018 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-e5b29bd951c3 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-4d0679d79983 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-a5cd193ce8e6 -j ACCEPT +[0:0] -A DOCKER-FORWARD -i br-b8d6b06b61ae -j ACCEPT +[0:0] -A DOCKER-FORWARD -i docker0 -j ACCEPT +COMMIT +# Completed on Fri Mar 6 12:16:37 2026 +# Generated by iptables-save v1.8.10 (nf_tables) on Fri Mar 6 12:16:37 2026 +*nat +:PREROUTING ACCEPT [11:1139] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [1:48] +:POSTROUTING ACCEPT [1:48] +:DOCKER - [0:0] +:DOCKER-INGRESS - [0:0] +[0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-e5b29bd951c3 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.20.0.0/16 ! -o br-a5cd193ce8e6 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.25.0.0/16 ! -o br-baef2cb29018 -j MASQUERADE +[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-b8d6b06b61ae -j MASQUERADE +[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-4d0679d79983 -j MASQUERADE COMMIT -# Completed on Thu Oct 14 15:52:30 2021 +# Completed on Fri Mar 6 12:16:37 2026 ``` our container is still accesible form the outside: @@ -421,7 +525,7 @@ our container is still accesible form the outside: > Host: 192.168.25.200:8080 > User-Agent: curl/7.68.0 > Accept: */* -> +> * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx/1.21.1 @@ -458,7 +562,7 @@ Docker interfaces are: * vethXXXXXX interfaces * br-XXXXXXXXXXX interfaces * docker0 interface -* docker_gwbridge interface +* docker_gwbridge interface ### Extending iptables-docker @@ -475,4 +579,4 @@ Run uninstall.sh #### Automated install (ansible) -set the variable "iptables_docker_uninstall" to "yes" into group_vars/all.yml and run the playbook. \ No newline at end of file +set the variable "iptables_docker_uninstall" to "yes" into group_vars/all.yml and run the playbook. diff --git a/src/awk.firewall b/src/awk.firewall index 409e926..91d593f 100644 --- a/src/awk.firewall +++ b/src/awk.firewall @@ -10,8 +10,7 @@ print ":DOCKER-USER - [0:0]" print ":DOCKER - [0:0]" print ":DOCKER-INGRESS - [0:0]" - print ":DOCKER-ISOLATION-STAGE-2 - [0:0]" - print ":DOCKER-ISOLATION-STAGE-1 - [0:0]" + print ":DOCKER-INTERNAL - [0:0]" print ":FORWARD DROP [0:0]" } if ( $0 ~ /^*nat/ ) { @@ -29,7 +28,7 @@ if ($0 ~ /^COMMIT/ ) {print "COMMIT"} } if (in_filter==1) { - if ($3 ~ /^(DOCKER-ISOLATION-STAGE-1|DOCKER-ISOLATION-STAGE-2|DOCKER|DOCKER-INGRESS|DOCKER-USER)$/) { + if ($3 ~ /^(DOCKER-INTERNAL|DOCKER|DOCKER-INGRESS|DOCKER-USER)$/) { print $0 } else { if ($7 ~ /^DOCKER$/) {