Score:0

Persistent firewall rules for Docker based on the DPORT (before the NAT takes place)

ma flag

Struggling with firewall rules with Docker containers.

The set up is as follows.

Slim install of Debian 11 running Docker (Standalone).
Installed on Docker is Portainer and 4 other web containers.
All attached to a single Bridged network called dkr-lan.

Ignoring the portainer container the other containers have the following ports mapped

  • web01 8081:80
  • web02 8082:80
  • web03 8083:80
  • web04 8084:80

web01 and web03 can be publicly accessed from anywhere on ports 8081 and 8083.
However, web02 can only be accessed by two public IPs 1.2.3.4 and 1.2.3.5.
Likewise web04 can only be accessed by one public IP 1.2.3.4.

I am using iptables and initially tried setting up rules in the DOCKER-USER chain, however this only seems to filter packets after the NAT has taken place and seems all containers after the NAT use port 80 I couldn't work out how ACCEPT web02 and web04 for those IPs and DROP the rest.

After a bit of searching I started to think the best option was filtering in the PREROUTING chain.

with rules like below

# For web01
iptables -t mangle -A PREROUTING -p TCP -s 0/0 --dport 8081 -j MARK --set-mark 1
# For web02
iptables -t mangle -A PREROUTING -p TCP -s 1.2.3.4 --dport 8082 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p TCP -s 1.2.3.5 --dport 8082 -j MARK --set-mark 1
# For web03
iptables -t mangle -A PREROUTING -p TCP -s 0/0 --dport 8083 -j MARK --set-mark 1
# For web04
iptables -t mangle -A PREROUTING -p TCP -s 1.2.3.4 --dport 8084 -j MARK --set-mark 1

#   Allow all traffic marked in the PREROUTING
#   Block all other traffic
iptables -A DOCKER-USER -m mark --mark 1 -j ACCEPT
iptables -A DOCKER-USER -p TCP --dport 8082 -j DROP
iptables -A DOCKER-USER -p TCP --dport 8084 -j DROP

I can see incoming traffic is hitting the PREROUTING rules, as the counters are increasing and that looks ok.

However the blocks aren't working. This is because there done in the DOCKER-USER chain and by that stage they are after the NAT.

So how can I set up rules that allow IPs based on the DPORT and then block the reset also based on the DPORT?

Guessing this has to be done in the PREROUTING chain?

And also needs to be persistent. As in at the moment, every time I stop and start a container it seems to blat the firewall rules and its all open again to ALL. This is being done in the DOCKER chain. So guessing I need to put my rules in the PREROUTING or DOCKER-USER.

What am I missing?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.