Linux host firewalls and Docker containers (IPv4 and IPv6)

I recently tried to set up a cloud server with some basic Nginx reverse proxy in Docker. Before that I thought that Docker and Linux firewalls would just work together flawlessly but I was wrong and some research was required to find a maintainable and elegant solution that doesn't break on firewall and container restarts.



# Issue

I used firewalld in the past because it just worked for me. While setting up the server I allowed traffic for my custom SSH port and nothing else. That worked. Then I set up my Nginx reverse proxy. After that I could also access ports 80 and 443 because I mapped those ports in my docker-compose.yaml. But wait a minute I didn't enable those ports in my firewall, why does that work? What if I want to apply more filters to those connections? I want a centralized and easy to understand view of my open ports. When I looked into firewall-cmd --list-all-zones, iptables -L and iptables-save it was all rather complicated and unmanageable.



# First part of the solution for IPv4

I found this GitHub issue and was a bit relieved to see that others noticed that issue (https://github.com/firewalld/firewalld/issues/461). And I also found several posts about similar issues with ufw. There was a link to a possible solution which inspired me to implement it the way I did: https://unrouted.io/2017/08/15/docker-firewall/

What seems to cause the issue is that Docker does quite a lot with plain old iptables rules which doesn't go that well with other firewall management solutions.

So the solution is going back to also manually only work with just iptables as the linked post suggests. Short summary of the article (but I recommend you to read it): Everything going to Docker doesn't go through the INPUT chain but only the FORWARD chain. Docker will heavily change the FORWARD chain so we won't touch that to not break Docker on firewall reloads. But Docker offers a chain DOCKER-USER which is inserted first into the FORWARD chain and where nothing is automatically inserted so we can work with that. But we want only one firewall chain to manage INPUT and DOCKER-USER. So we create a chain FILTERS that is the target for DOCKER-USER and INPUT. That way we can put all our firewall rules there.

We create a configuration and later a custom systemd service to apply it. First the configuration for iptables. Put this in e.g. `/etc/iptables/iptables.conf`.

*filter
# all our chains with their default actions
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

# first flush all chains that we will touch to have a clean setup
-F INPUT
-F DOCKER-USER
-F FILTERS

# accept local loopback traffic and if you want it also ping otherwise remove
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
# the important part, go to chain FILTERS
-A INPUT -j FILTERS

# when something comes into the external interface to the FORWARD chain
# (which will first put it into the DOCKER-USER chain), also use chain FILTERS
-A DOCKER-USER -i YOUR_EXTERNAL_INTERFACE_NAME_ETH0 -j FILTERS

# our firewall rules go here, I allowed ping
# first accept all packets for ESTABLISHED and RELATED connection states
-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# now all our firewall rules that will apply to our host listening to ports
# as well as Docker hosts listening, just some examples
-A FILTERS -m conntrack --ctstate NEW -s 1.2.3.4/32 -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -j DROP

COMMIT


# Second part of the solution for IPv6

If you now disable and stop your firewall service like firewalld and apply this configuration you have an issue that isn't mentioned in the article: If your host has a public IPv6 address, it is now completely unprotected. All chains on ACCEPT by default. You can access all docker hosts because the

traffic first goes through the ip6tables and then through the FORWARD chain of the iptables but then it will already look like it came from the internal dynamic Docker bridge interface and we don't filter for it because we only filtered for the external interface. This took me a while to figure it out because the first step will obviously not appear in your IPv4 iptables LOG if you use it.

Docker doesn't change anything in your IPv6 firewall configuration and all incoming traffic only needs to go through the INPUT chain. So we need a separate configuration for IPv6, e.g. `/etc/iptables/ip6tables.conf`. I'll apply the same configuration here as above.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-F INPUT
-F FORWARD
-F OUTPUT

-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -s 1.2.3.4/32 -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT

COMMIT

Now we also have protected IPv6. Yes these are 2 configuration files and you could certainly automate the shared part of those two. But it's a really simple policy and you only need to take care of certain parts so that's OK for me.



# Putting it all together

Now we just need the systemd service (or a similar noscript for whatever init system you're on). E.g. `/etc/systemd/system/iptables.service`:

[Unit]
Denoscription=Restore iptables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStartPre=/sbin/ip6tables-restore -n /etc/ip6tables.conf
ExecStart=/sbin/iptables-restore -n /etc/iptables.conf

[Install]
WantedBy=multi-user.target

Disable you're current firewall service now, e.g.

sudo systemctl stop firewalld
sudo systemctl disable firewalld


Now we load, start and enable our service:

sudo systemctl daemon-reload
sudo systemctl start iptables
sudo systemctl enable iptables

For every firewall change you want to perform, change the iptables.conf and ip6tables.conf and restart your iptables service:

sudo systemctl restart iptables

Nothing will break for any reloads or restarts. Docker service restarts, iptables service restarts, container runs etc., it will stay the way you configured it.


I hope this helps you in setting this up as much as the article helped me. And now I'll try to find out how the f%#* libvirt firewall rules are put together...

https://redd.it/g1oi2a
@r_linux

Battery life on the pinephone is starting to look good! I got 10h+ with 35% left this morning! Crust × repowerd is aweseome! Even notifications works!
https://redd.it/g1plmh
@r_linux

GNOME OS on Pinebook Pro
https://valentindavid.com/posts/2020-04-14-gnome-os-pinebook-pro/

https://redd.it/g1qqz6
@r_linux

Slow download speeds

Moved from Windows 10 to Manjaro and noticed that my download speeds decreased massively. On Windows I got around 2.1MB/s and on Manjaro I'm getting around 0.2MB/s.

If anyone knows of any fixes for this I would be very grateful

https://redd.it/g1qoi6
@r_linux

GNU Guix 1.1.0 released
https://guix.gnu.org/blog/2020/gnu-guix-1.1.0-released/

https://redd.it/g1tijb
@r_linux

deepin v20 beta released, you can try it now.

​

>deepin is a Linux distribution devoted to providing beautiful, easy to use, safe and reliable system for global users.
>
>deepin 20 Beta comes with a unified design style and redesigns the desktop environment and applications, bringing a brand new interactive experience. Besides that, the underlying repository and kernel are upgraded to Debian 10 and Kernel 5.3 respectively. The continuously optimized system offers a richer application ecosystem and better system stability. What is more, there are some new applications for users.

[DEEPIN 20 BETA—— NEW AND AWESOME](https://www.deepin.org/en/2020/04/15/deepin-20-beta/)

https://redd.it/g1tmul
@r_linux

ELN Buildroot and Compose
https://fedoraproject.org/wiki/Changes/ELN_Buildroot_and_Compose

https://redd.it/g1vfak
@r_linux

Students under quarantine are limited or need to change operating system in order to follow lessons or take exams?

Also would you like to share your story?

Here is mine: I live in Italy and I presented my master degree final dissertation almost one month ago at home on Zoom, before all the privacy-related problems emerged.
I had no issue with the platform and all the things required: webcam, microphone and screen sharing worked and were recognized correctly under openSuse Tumbleweed.

Thanks and stay home!

https://redd.it/g1qd0z
@r_linux

[OC]Linux kernel commits as of 5.7-rc1 by author's email domain name,for domains with >= 5000 commits.
https://redd.it/g1xt7s
@r_linux

Webtatic PHP repo

Anyone use the webtatic repository for PHP? There hasnt been any updates in January and no 7.3 or 7.4 branches added; anyone know if this repo is being abandoned?

All evidence leads to yes, but I wanted to see if anyone had heard or knew anything.

https://redd.it/g1zqr3
@r_linux

This popped up when I tried installing crouton via the terminal.
https://redd.it/g212ij
@r_linux

Why don't some websites work on Linux?

I'm not talking about failing to load because of something weird with network configuration, I'm talking about not letting you use the site because of Linux, or constantly telling you to "upgrade to a supported OS"

For example, Xfinity's Stream wouldn't work if you used Linux. It works now, but why didn't it used to work?

Same thing with this site: [https://www.pearsonmylabandmastering.com/](https://www.pearsonmylabandmastering.com/) we use it for math in high school, and when you go there on Linux, a popup comes up that says Linux isn't supported. Why does the OS matter? I can understand popups about outdated browsers, but the OS being the problem doesn't make sense to me.
I feel like just changing your user agent would fix this (I'm yet to test it)

https://redd.it/g21i7c
@r_linux

“Quick, take the guy on the left, I’ve got the...the, damned blue screen again.”
https://redd.it/g21k86
@r_linux

GitHub slashes prices and makes all its ‘core’ features free
https://www.fastcompany.com/90490727/github-slashes-prices-and-makes-all-its-core-features-free

https://redd.it/g2504x
@r_linux

Screen brightness AND temperature on oled screen

Hi all. I've recently bought a Dell xps 15 7590 with 4k oled screen, installed arch and was wondering if there is any way I could adjust screen brightness and temperature at the same time. I was always using f.lux back on my mac to make screen warmer so that it's easier on my eyes while also keeping brightness at around 50%. So on linux default brightness controls don't work for oled screens (values in /sys/class/backlight/intel\_backlight/ are changing but make no effect) and I started changing it manually with xrandr, which I'm okay with. The problem is that Night Color (kde) and f.lux are changing it back to 100% once in a while which makes them useless for me. I know that I could change gamma with xrandr but it's suboptimal because white color doesn't get warmer at all, it just makes grey ugly brownish. I didn't find any answer in google so decided to ask you guys. If this is not a proper sub please redirect me. Any info is much appreciated

https://redd.it/g250d2
@r_linux

Swipe gestures to turn up the volume

I'm recently have installed ubuntu and I miss the swipe four fingers up to turn up volume like it was on my windows trackpad, I followed a tutorial in a video but I can't find a command to do this (the video [https://www.youtube.com/watch?v=ArBCfhVsTZw](https://www.youtube.com/watch?v=ArBCfhVsTZw)) I already have the gestures app installed.

https://redd.it/g26n4f
@r_linux

Would you use a Microsoft-created Windows compatibility layer? Why or why not?

I just had this idea in my head that a few years ago I would have thought impossible, but now I'm not so sure. With how much Microsoft seems to be embracing Linux, what would you do if they made an alternative to WINE with near 100% compatibility? Would you use it? What if it was a paid or subnoscription service? Really curious what people would think of this as it doesn't sound as crazy of an idea as it used to. Granted, I still think its highly unlikely, but I just can't imagine it as impossible anymore.

https://redd.it/g27wzd
@r_linux

Switch To Linux Cheat Sheet - Windows/Mac Exclusive Apps Alternative
https://www.yourtechshow.com/2019/07/switch-to-linux-cheat-sheet-windowsmac.html?m=1

https://redd.it/g27cba
@r_linux

The KWinFT project - KWin fork
https://subdiff.org/blog/2020/the-k-win-ft-project/

https://redd.it/g24hf3
@r_linux

I've got a colleague that refuses to use Windows

Hi all, I'm not sure it is the right subreddit.

I work in a company that mainly makes software but we also do some mechanical stuff (I think they use AutoCad). We have some very qualified engineers for that part of the work. We also use some other programs that the Company has paid a lot of money (I can't remember which ones). Unfortunately non of those can work on Linux.

The rest of the work (software development) is done on Linux but our engineers and managers switch on Windows when they want to use those expensive programs. For example, to change things, etc. Now, we have this guy who refuses to use those programs that the company has bought because he hates Windows. Instead, he finds alternatives that work on Linux and sometimes are not compatible in terms of the exported-final files which means the company ends up with bunch of different files that are not compatible between them.

And the rest of the team does not have so much expertise as they do on the other expensive programs. We are talking about licenses here and programs that are on the top lists on well-paid positions in big companies. The company didn't mind to pay at all back then when they started business and they will pay again to continue using those programs. It's all about quality and of course, support. And of course the cooperation between other companies that uses the same programs. It's a standard in the market I guess. And why he does that? Because nobody says anything. Lack of management I think?

I came here to ask, how normal is that behaviour? People who use Linux daily, have you done something similar?

https://redd.it/g2araw
@r_linux