How to controll a docker cluster

[webadmin]

Hello,

so far we are using FWCloud for standalone webservers. Now we want to include a Docker Swarm Cluster. But on these hosts Docker is modifing IPTABLES too.

ubuntu@docker-mgr1-vm:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-INGRESS
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-INGRESS
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
-A DOCKER-INGRESS -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --sport 9443 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --sport 9000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --sport 8000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-INGRESS -j RETURN
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

After applying rules with the FWCloud UI all these default rules are gone. That is understandable, but without these rules docker swarm is not working anymore.

So what woul be the best way to let docker do its stuff and also manage the incomming connections via FWCloud UI?

Thanks!

 

[Carles Munyoz]

Hi,
We have a section in the documentation of the FWCloud website that explains how to solve this problem:

FWCloud & Docker | FWCLOUD

fwcloud.net

I hope that it helps you.
Thanks.

 

[webadmin]

Thank you very much!

In your documentation you have a screenshot of the SNAT section https://fwcloud.net/wp-content/uploads/2022/04/FWCloud-Docker-01.png There a "Docker network" is set in source field. How should this network be created?

Do you know how to handle Docker Swarm in this setup? https://docs.docker.com/engine/swarm/swarm-tutorial/

We use a private network for swarm communication which has all ports opened but swarm routing mesh does not work after enabling rules via FWCloud. Even with ACCEPT ANY ANY as last rule.

 

[Carles Munyoz]

It depends in the network topology that you have defined for your Docker container.