Docker and iptables
Something that came to bite me this week, was Docker’s ability to insert it’s own iptables rules completely bypassing firewall-cmd / ufw.
On this particular server I had LAN/WAN interfaces directly assigned the the firewall policy configured in such a way that would allow HTTP/HTTPS traffic in on the public interface, but internally would accept connections on 8080/8081 for some other internal services. Not on Docker’s watch!!
Docker added it’s own iptables rules around it’s bridge interface that meant it would also pass connections on 8080/8081 on the WAN side!
For mitigating this, (from Docker 20.10) there is apparently an --iptables=false
attribute that can be passed to docker init to stop this behaviour, though I read mixed feedback on this potentially causing other container issues.
For mine, I resolved by adding the specific listner IP into the docker port binding. Eg: docker run -d -p 192.168.1.10:8080:8080
to only listen on the internal side, which caused it to monitor it’s iptables rules accordingly.
One take away from this; Be specific.