How to configure firewalld with docker 20.10

Question

I realized that recently docker add integration with firewalld and I just want to setup my server using firewalld instead of iptables boring rules and chains.

This is my docker zone output:


root@test:~# sudo firewall-cmd --zone=docker --list-all 
docker (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: br-0a659f93a5b6 br-be2e44b2b069 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I had run multiple services including Laravel(nginx port binding 80 -> 5050), mysql, etc. with above config. I expect that anyone cannot access to port 5050, 3306(mysql) but unfortunately firewall has no effect and everything is open and accessible from outside.

and this is docker modules

Now How really configure firewalld to drop every request excepts allowed ports?

@Zanna_37 No I couldn't find any solution for this and I use [ufw-docker](https://github.com/chaifeng/ufw-docker) for this purpose. — Masoud Tavakkoli, Nov 30 '21 at 06:34

score 1 · Answer 1 · edited Mar 23 '23 at 01:23

1

In summary, the solution is:

Disable iptables in docker
Add masquerade to public zone
Add docker network interface to trusted zone
Add ethernet interface to public zone

I wrote an article about it here: https://dev.to/soerenmetje/how-to-secure-a-docker-host-using-firewalld-2joo

edited Mar 23 '23 at 01:23

sloppypasta

1,068
9
15

answered Mar 16 '23 at 14:21

Sören Metje

11
2

How to configure firewalld with docker 20.10

1 Answers1