You are not logged in.
- Topics: Active | Unanswered
#1 2025-03-27 19:23:53
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
iptables rules for host and docker services on same machine
I'm running a VM which exposes a couple of host-level services like sshd and rsyncd.
Also, I run a docker-compose project running nginx reverse proxy for bunch of other containers in the same project.
I'm having problems figuring out iptables rules for docker stuff where if I run an nginx reverse proxy container which is exposed at ports 80 and 443.
When I try removing iptables rules that allow traffic to these ports, it's like I did nothing and I'm still able to access web server, I wonder why is that?
Perhaps it's something in my rules or docker itself that borks the firewall and if possible, I'd like some help wit this as nothing I've read or tried yielded results.
Currently, I use these rules:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
# Accept related and established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow localhost and WireGuard interface
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
# Drop invalid packets first
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow host services
-A INPUT -p tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp --dport 873 -m comment --comment "Allow rsyncd" -j ACCEPT
-A INPUT -p udp --dport 51820 -m comment --comment "Allow WireGuard" -j ACCEPT
# Log unmatched packets
-A INPUT -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "BLOCKED: "
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i br-+ -o ens3 -j ACCEPT
# Allow explicitly permitted container services
-A DOCKER-USER -p tcp --dport 80 -m comment --comment "Allow HTTP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
-A DOCKER-USER -p tcp --dport 24456 -m comment --comment "Allow Peers TCP" -j ACCEPT
-A DOCKER-USER -p udp --dport 24456 -m comment --comment "Allow Peers UDP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 50300 -m comment --comment "Allow Slskd TCP" -j ACCEPT
-A DOCKER-USER -p udp --dport 50300 -m comment --comment "Allow Slskd UDP" -j ACCEPT
-A DOCKER-USER -p tcp --dport 2022 -m comment --comment "Allow SFTPGo SFTP" -j ACCEPT
# Default deny
-A DOCKER-USER -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE
COMMITAnything wrong with any of this that could help blocking access to a webserver?
Last edited by pentago (2025-03-27 19:48:16)
Offline
#2 2025-03-27 20:02:14
- -thc
- Member
- Registered: 2017-03-15
- Posts: 824
Re: iptables rules for host and docker services on same machine
In the first version of your post the ruleset allowed all incoming UDP/TCP connections (after the "ping" rule).
You edited the ruleset. Why?
Offline
#3 2025-03-27 20:49:26
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
Re: iptables rules for host and docker services on same machine
Its redundant. The issue exist both with and without it. Any particular reason you ask?
Offline
#4 2025-03-28 00:34:40
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 341
Re: iptables rules for host and docker services on same machine
Currently, I use these rules:
There are no any rule which references DOCKER-USER chain.
When I try removing iptables rules that allow traffic to these ports, it's like I did nothing and I'm still able to access web server, I wonder why is that?
From which host are you accessing web server? From the same host where these rules are applied? Your iptables is configured to accept all local traffic:
-A INPUT -i lo -j ACCEPT
If you are talking about access from other host, please desciribe your network topology in more detail.
Last edited by dimich (2025-03-28 00:40:51)
Offline
#5 2025-03-28 06:23:50
- -thc
- Member
- Registered: 2017-03-15
- Posts: 824
Re: iptables rules for host and docker services on same machine
Its redundant. The issue exist both with and without it. Any particular reason you ask?
Your first ruleset was consistent with the described behavior. The edited ruleset is not.
As dimich wrote, the chain "DOCKER-USER" is never referenced and thus unused. If you were changing rules inside this chain it would have had no effect at all.
Since docker may involve bridges you need "ebtables" to filter traffic flowing through them.
Offline
#6 2025-03-28 13:43:09
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
Re: iptables rules for host and docker services on same machine
Your first ruleset was consistent with the described behavior. The edited ruleset is not.
It is as removing nginx rules stil allow traffic to ports 80 and 443.
As dimich wrote, the chain "DOCKER-USER" is never referenced and thus unused. If you were changing rules inside this chain it would have had no effect at all.
Not sure what do you mean by "never referenced", there are number of rules in DOCKER-USER chain. Could you elaborate please?
Since docker may involve bridges you need "ebtables" to filter traffic flowing through them.
I never noticed ebtablea being mentioned in of dozens of guides I consulted, are you sure about this?
Offline
#7 2025-03-28 13:46:48
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
Re: iptables rules for host and docker services on same machine
From which host are you accessing web server? From the same host where these rules are applied? Your iptables is configured to accept all local traffic:
-A INPUT -i lo -j ACCEPT
If you are talking about access from other host, please desciribe your network topology in more detail.
I access host from my home and work machines.
Host is a VM on some small provider.
I want connectivity within host (host>containers
) and also connectivity between containers.
Ia that consistent with rules I shown?
Offline
#8 2025-03-28 15:19:50
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 341
Re: iptables rules for host and docker services on same machine
I access host from my home and work machines.
Is web server in container accessible from your home and work machines? According to rules in OP it shouldn't be, except from the same host and via WireGuard VPN.
I want connectivity within host (host>containers) and also connectivity between containers.
Is rules list shown in OP an output of iptables-save command or is it just content of /etc/iptables/iptables.rules ?
What network driver your docker containers use? I.e. one of these?
Do you have customized /etc/docker/daemon.json ?
Last edited by dimich (2025-03-28 16:58:49)
Offline
#9 2025-03-28 17:40:53
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
Re: iptables rules for host and docker services on same machine
pentago wrote:I access host from my home and work machines.
Is web server in container accessible from your home and work machines? According to rules in OP it shouldn't be, except from the same host and via WireGuard VPN.
pentago wrote:I want connectivity within host (host>containers) and also connectivity between containers.
Is rules list shown in OP an output of iptables-save command or is it just content of /etc/iptables/iptables.rules ?
What network driver your docker containers use? I.e. one of these?
Do you have customized /etc/docker/daemon.json ?
1. Web server is accessible to the entire internet and also from host - thats how I want it, I just want to be able to block access to it by deleting a rule (default deny policy).
2. OP rules are content of /etc/iptables/iptables.rules.
3. I think it uses bridge by default, I use this in my compose file:
networks:
default:
ipam:
config:
- subnet: 10.0.0.0/244. There's no /etc/docker/daemon.json present at all.
I noticed that after I apply my rules and either restart docker service or reboot, additional rule gets added to the DOCKER-USER chain after my final DROP rule which causes this problem because if I remove it manually things work as expected :
sudo iptables -S DOCKER-USER
-N DOCKER-USER
-A DOCKER-USER -p tcp -m set --match-set f2b-nginx-badbots src -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -p tcp -m set --match-set f2b-nginx-forbidden src -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -p tcp -m set --match-set f2b-nginx-bad-request src -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i br-+ -o ens3 -j ACCEPT
-A DOCKER-USER -p tcp -m tcp --dport 80 -m comment --comment "Allow HTTP" -j ACCEPT
-A DOCKER-USER -p tcp -m tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
-A DOCKER-USER -p tcp -m tcp --dport 24456 -m comment --comment "Allow Peers TCP" -j ACCEPT
-A DOCKER-USER -p udp -m udp --dport 24456 -m comment --comment "Allow Peers UDP" -j ACCEPT
-A DOCKER-USER -p tcp -m tcp --dport 50300 -m comment --comment "Allow Slskd TCP" -j ACCEPT
-A DOCKER-USER -p udp -m udp --dport 50300 -m comment --comment "Allow Slskd UDP" -j ACCEPT
-A DOCKER-USER -p tcp -m tcp --dport 2022 -m comment --comment "Allow SFTPGo SFTP" -j ACCEPT
-A DOCKER-USER -j DROP
-A DOCKER-USER -j RETURNAny idea how and why that rule gets added automatically and how do I prevent it?
Offline
#10 2025-03-28 18:57:57
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 341
Re: iptables rules for host and docker services on same machine
I noticed that after I apply my rules and either restart docker service or reboot, additional rule gets added to the DOCKER-USER chain after my final DROP rule which causes this problem because if I remove it manually things work as expected.
Any idea how and why that rule gets added automatically and how do I prevent it?
They are added by docker daemon. That's how bridge network driver works. See also Packet filtering and firewalls.
You can prevent iptables usage by specifying --iptables=false for docker daemon. It can be configured in /etc/docker/daemon.json:
# cat /etc/docker/daemon.json
{
"iptables": false
}Also you may want to add --ip6tables=false. List of docker daemon options can be found here.
Offline
#11 Yesterday 11:31:50
- pentago
- Member
- From: Serbia
- Registered: 2013-10-31
- Posts: 35
- Website
Re: iptables rules for host and docker services on same machine
@dimich @-thc
Nothing I tried worked nor I like telling Docker not to use iptables (Docker docs clearly advise against that).
This is what resolved the issue:
-A DOCKER-USER -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -m comment --comment "Allow HTTP" -j ACCEPT
-A DOCKER-USER -p tcp -m conntrack --ctorigdstport 443 --ctdir ORIGINAL -m comment --comment "Allow HTTPS" -j ACCEPTNow after I delete a rule, new connections get blocked by default.
Offline
#12 Yesterday 15:50:43
- -thc
- Member
- Registered: 2017-03-15
- Posts: 824
Re: iptables rules for host and docker services on same machine
Nothing I tried worked nor I like telling Docker not to use iptables (Docker docs clearly advise against that).
IMHO Docker networking sucks.
I still cannot make any sense of anything you posted but since you solved your problem I'm out.
Offline