Docker not working after firewall deployed | FWCloud Forum

Docker not working after firewall deployed

KAI

Member
First - I have attached the "policy script" for your review. (see far bottom)

....................................................................................................................................

Second - Here is the configuration, which is just like your instructions (see below)



Chain INPUT (policy ACCEPT)

target prot opt source destination



Chain FORWARD (policy ACCEPT)

target prot opt source destination



Chain OUTPUT (policy ACCEPT)

target prot opt source destination



....................................................................................................................................



Third - Following your instructions. I should not be able to ping until the firewall is configured - see below



sysadmin@test-fwcloud-u20:~$ sudo docker exec -it lucid_nash /bin/bash root@46c7091f2789:/# ping -c 2 google.com

ping: google.com: Temporary failure in name resolution root@46c7091f2789:/# ping -c 2 google.com

ping: google.com: Temporary failure in name resolution



....................................................................................................................................



Forth - I'm not understanding how the "Translated Source" works or what it needs to be configured to.



Fifth - I am aware that the policy script log that's attach says echo "WARNING: IPTables not disabled in Docker configuration." I'm not sure if this is a error or just a notification.

...........................................................
 

Carles Munyoz

Administrator
Staff member
It would help us if you explain more about your Docker installation:
- Linux Distribution.
- Docker versión.
- Docker containers.
- Etc.
 

KAI

Member
- Linux Distribution.
Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-132-generic x86_64)

- Docker versión.
Client: Docker Engine - Community
Version: 20.10.21
API version: 1.41
Go version: go1.18.7
Git commit: baeda1f
Built: Tue Oct 25 18:02:21 2022
OS/Arch: linux/amd64
Context: default
Experimental: true

- Docker containers.
ubuntu /lucid_nash
 

KAI

Member
sysadmin@test-fwcloud-u20:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:da:bb:0b:df:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic ens18
valid_lft 71785sec preferred_lft 71785sec
inet6 fe80::94da:bbff:fe0b:dffb/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:7b:d5:bb:b9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:7bff:fed5:bbb9/64 scope link
valid_lft forever preferred_lft forever
5: veth3e10db8@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 32:18:2b:0f:68:52 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::3018:2bff:fe0f:6852/64 scope link
 

Carles Munyoz

Administrator
Staff member
Have you checked that the next option is present in your `/etc/docker/daemon.json` Docker config file?
JSON:
{
  "iptables": false
}
 

KAI

Member
Yes it is set

..........................................
sysadmin@test-fwcloud-u20:~$ vi /etc/docker/daemon.json

.........................................

{
"iptables": false
}
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
 

Carles Munyoz

Administrator
Staff member
Ok, great.

Now I need to know what do you want to do.
Do you want allow Internet access to your Docker container?
Do you need to allow access to the service supplied by the Docker container?

May you send me screenshots about the policy rules created?
I need to see to the options tab of your firewall config.
 

KAI

Member
I would like to accomplish both. Docket Container Internet access and service supplied by the Docker container

See attachment: You need to change to .docx
 

Attachments

Carles Munyoz

Administrator
Staff member
Ok, let's go first with the service supplied by the Docker container.
How are you accessing this service?

I need to see to the Options tab of your firewall config.
 

KAI

Member
See attachment

When you say service are you talking about the service the container is providing? If so, it varies, it could be a web application (e.g. fwcloud).
 

Attachments

  • FW_O.PNG (22.4 KB)
    File size
    22.4 KB
    Download
    2

Carles Munyoz

Administrator
Staff member
Ok, the configuration option for IPv4 forwarding is enabled. It is necessary for the containers to Internet communication.

Yes, I'm talking about the service provided by the container. For example, if your container is a MySQL its service is supplied by the TCP port 3306 (if you have not mapped it to another one).

With your current firewall policy for the INPUT chain you should be able to access the container service by means of the IP of your host, that is to say, by means of the IP 192.168.1.22.
Have you verified if you can access the container's service using this IP?
 

Carles Munyoz

Administrator
Staff member
Ok, then the only problem you have is with the communication from the Docker container to Internet, is it correct ?
 

Carles Munyoz

Administrator
Staff member
I think that you have an error in the SNAT rule.
If you look at our FWCloud & Docker integration documentation you will see that in the `Translated source` field of the SNAT rule you have to put the IP address of your LAN interface (in your case 192.168.1.22). But in your SNAT rule such field is empty.

Please, try it and let me know if this solves the problem.
 

KAI

Member
Translated source added - However, there's an a syntax error at the bottom of the log.
  • [11:20:00] - OUTPUT CHAIN:
  • [11:20:00] - Rule 1 (ID: 13)
  • [11:20:00] - Rule 2 (ID: 15)
  • [11:20:00] - FORWARD CHAIN:
  • [11:20:00] - Rule 1 (ID: 9)
  • [11:20:00] - Rule 2 (ID: 18)
  • [11:20:00] - Rule 3 (ID: 11)
  • [11:20:00] - NAT TABLE (IPv4):
  • [11:20:00] - SNAT:
  • [11:20:00] - Rule 1 (ID: 17)
  • [11:20:00] - DNAT:
  • [11:20:00] -
  • [11:20:00] -
  • [11:20:00] - FILTER TABLE (IPv6):
  • [11:20:00] - INPUT CHAIN:
  • [11:20:00] - Rule 1 (ID: 2)
  • [11:20:00] - Rule 2 (ID: 4)
  • [11:20:00] - Rule 3 (ID: 6)
  • [11:20:00] - Rule 4 (ID: 8)
  • [11:20:00] - OUTPUT CHAIN:
  • [11:20:00] - Rule 1 (ID: 14)
  • [11:20:00] - Rule 2 (ID: 16)
  • [11:20:00] - FORWARD CHAIN:
  • [11:20:00] - Rule 1 (ID: 10)
  • [11:20:00] - Rule 2 (ID: 12)
  • [11:20:00] - NAT TABLE (IPv6):
  • [11:20:00] - SNAT:
  • [11:20:00] - DNAT:
  • [11:20:00] - Success in compilation of firewall 'test-fwcloud-u20'


  • [11:20:00] - Starting installation of firewall 'test-fwcloud-u20'`
  • [11:20:00] - Uploading firewall policy (192.168.1.22)

  • ./tmp/fwcloud.sh: 230: Syntax error: "(" unexpected (expecting "}")
  • [11:20:01] - Success in installation of firewall 1 (test-fwcloud-u20)
 

Carles Munyoz

Administrator
Staff member
Is your FWCloud installation updated to the latest one ?
Which versión do you have (you can see it in the About button) ?

Can you paste here the fwcloud.sh script for analyze it ?
You can get it using the option for see it in the right menu button menu over your firewall.
 

Carles Munyoz

Administrator
Staff member
Look at the line 230 of your firewall policy load script:
Bash:
$IPTABLES -A INPUT -i ens18 (LAN) -d 192.168.1.22 -m conntrack --ctstate NEW -j ACCEPT

You have called your network interface as ens18 (LAN), but this is a mistake, you should call it as it is really named in your firewall, that it is: ens18

You can add a LABEL to the network interface that will be shown when you use it in the firewall policy as shown in the next screenshot:

Captura de pantalla 2022-12-05 a las 19.02.27.png
 
Top