Need help with configuring firewall, running docker apps

Installing and Using OpenWrt Network and Wireless Configuration
1

I am toying around with Docker on OWRT, while the learning curve is steep, i come along and have now successfully running nginx (yeah, i am aware that there is a Owrt package), primarily as proxy and ycast, more to come.
There remain however questions regarding the firewall, which right now, i am a bit clueless about. The docker config tells me, that by default, docker ignores all firewall rules, following a firewall configuration. I thought, that would probably mean, that every rule regarding the wan interface would be somehow applied to the docker0 device.

However, docker opens Ports for all running services, in my case 80 and 443 for nginx (which is ok) but also 8181 for ycast, which I don't want to expose to the outside, it should only be available internal, through nginx, so I want that port blocked.

I tried by adding this rule to the firewall:

config rule
        option src 'wan'
        option dest_port '8181'
        option target 'DROP'
        option name 'Ycast Port'

But still, using online portscanner show that port as opened.

So, what am I doing wrong? Right now, I don't want to fix that on docker side, by either modifying my docker-compose files or completely disable fw rules there, but rather would like to know which rules I would have to apply to block port 8181 (and other in the future).

2

What is the output of iptables-save -c ?

3

Hope it's ok to post the output here. Mostly Standard OWRT Install config, just added a rule to block Port 8181, which does not work.

# Generated by iptables-save v1.8.7 on Mon Nov 29 13:35:14 2021
*nat
:PREROUTING ACCEPT [12373:1290812]
:INPUT ACCEPT [2355:181262]
:OUTPUT ACCEPT [3258:246276]
:POSTROUTING ACCEPT [4690:805804]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[5882:363308] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[12373:1290812] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[8517:1080585] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[3846:209627] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-b0868dd89a40 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.22.0.0/16 ! -o br-3016b6c9680c -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.3/32 -d 172.21.0.3/32 -p tcp -m tcp --dport 8181 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[13214:1317373] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4386:788285] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[8524:511569] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[10:600] -A DOCKER -i br-b0868dd89a40 -j RETURN
[0:0] -A DOCKER -i br-3016b6c9680c -j RETURN
[93:4996] -A DOCKER ! -i br-b0868dd89a40 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.21.0.2:443
[6:284] -A DOCKER ! -i br-b0868dd89a40 -p tcp -m tcp --dport 8181 -j DNAT --to-destination 172.21.0.3:8181
[122:6540] -A DOCKER ! -i br-b0868dd89a40 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.21.0.2:80
[0:0] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[4386:788285] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[8517:1080585] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[8524:511569] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[8524:511569] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[3846:209627] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Nov 29 13:35:14 2021
# Generated by iptables-save v1.8.7 on Mon Nov 29 13:35:14 2021
*mangle
:PREROUTING ACCEPT [7854819:9129584296]
:INPUT ACCEPT [12773:1045565]
:FORWARD ACCEPT [7849728:9130339670]
:OUTPUT ACCEPT [10421:895963]
:POSTROUTING ACCEPT [7859535:9131203415]
[1927:112592] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1892:112000] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Nov 29 13:35:14 2021
# Generated by iptables-save v1.8.7 on Mon Nov 29 13:35:14 2021
*filter
:INPUT ACCEPT [10:600]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:600]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:forwarding_docker_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_docker_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_docker_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_docker_dest_ACCEPT - [0:0]
:zone_docker_dest_REJECT - [0:0]
:zone_docker_forward - [0:0]
:zone_docker_input - [0:0]
:zone_docker_output - [0:0]
:zone_docker_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[146:10950] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[12637:1035135] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3813:443685] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3050:126780] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3154:307750] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[5660:283100] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i docker0 -m comment --comment "!fw3" -j zone_docker_input
[7849729:9130340269] -A FORWARD -j DOCKER-USER
[7849729:9130340269] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[928:95363] -A FORWARD -o br-b0868dd89a40 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[221:12028] -A FORWARD -o br-b0868dd89a40 -j DOCKER
[1030:192230] -A FORWARD -i br-b0868dd89a40 ! -o br-b0868dd89a40 -j ACCEPT
[0:0] -A FORWARD -i br-b0868dd89a40 -o br-b0868dd89a40 -j ACCEPT
[0:0] -A FORWARD -o br-3016b6c9680c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3016b6c9680c -j DOCKER
[0:0] -A FORWARD -i br-3016b6c9680c ! -o br-3016b6c9680c -j ACCEPT
[0:0] -A FORWARD -i br-3016b6c9680c -o br-3016b6c9680c -j ACCEPT
[7847549:9130040049] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[7829802:9126427961] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[17747:3612088] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i docker0 -m comment --comment "!fw3" -j zone_docker_forward
[146:10950] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[10284:886445] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7059:640703] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[19:6278] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3196:238864] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o docker0 -m comment --comment "!fw3" -j zone_docker_output
[93:5100] -A DOCKER -d 172.21.0.2/32 ! -i br-b0868dd89a40 -o br-b0868dd89a40 -p tcp -m tcp --dport 443 -j ACCEPT
[6:296] -A DOCKER -d 172.21.0.3/32 ! -i br-b0868dd89a40 -o br-b0868dd89a40 -p tcp -m tcp --dport 8181 -j ACCEPT
[122:6632] -A DOCKER -d 172.21.0.2/32 ! -i br-b0868dd89a40 -o br-b0868dd89a40 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[1030:192230] -A DOCKER-ISOLATION-STAGE-1 -i br-b0868dd89a40 ! -o br-b0868dd89a40 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-3016b6c9680c ! -o br-3016b6c9680c -j DOCKER-ISOLATION-STAGE-2
[7849731:9130340421] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-b0868dd89a40 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-3016b6c9680c -j DROP
[1030:192230] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -i eth0 -o docker0 -j REJECT --reject-with icmp-port-unreachable
[7849729:9130340269] -A DOCKER-USER -j RETURN
[4842:198407] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[277:45247] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3050:126780] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_docker_dest_ACCEPT -o docker0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_docker_dest_REJECT -o docker0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_docker_forward -m comment --comment "!fw3: Custom docker forwarding rule chain" -j forwarding_docker_rule
[0:0] -A zone_docker_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_docker_forward -m comment --comment "!fw3" -j zone_docker_dest_REJECT
[0:0] -A zone_docker_input -m comment --comment "!fw3: Custom docker input rule chain" -j input_docker_rule
[0:0] -A zone_docker_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_docker_input -m comment --comment "!fw3" -j zone_docker_src_REJECT
[0:0] -A zone_docker_output -m comment --comment "!fw3: Custom docker output rule chain" -j output_docker_rule
[0:0] -A zone_docker_output -m comment --comment "!fw3" -j zone_docker_dest_ACCEPT
[0:0] -A zone_docker_src_REJECT -i docker0 -m comment --comment "!fw3" -j reject
[14845:3434199] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[17747:3612088] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[17747:3612088] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[14826:3427921] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3154:307750] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3154:307750] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[19:6278] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[19:6278] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3154:307750] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[614:32218] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[5503:390813] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[5660:283100] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[541:39446] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 8181 -m comment --comment "!fw3: Ycast Port" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 8181 -m comment --comment "!fw3: Ycast Port" -j DROP
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[5119:243654] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[3196:238864] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[3196:238864] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[5119:243654] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Nov 29 13:35:14 2021
4

Oh, just in Case, this is what the Docker configfile holds for firewall:

config firewall 'firewall'
        option device 'docker0'
        list blocked_interfaces 'wan'
#       option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
5

Ok, this is a bigger problem then I thought, with an issue open since 2015. Right now, I work around by adding 127.0.0.1 to ports, eg.:

ports:
    - "127.0.0.1:8181:8181"

This seems to work so far, However, there are concerns that this might not be enough.

So, if anyone has a better idea which works together with OWRT, please post.

6

Can you try this one?
iptables -t nat -I DOCKER -i pppoe-wan -j RETURN
Simply run it after the firewall is up. Verify that it works indeed and we can make it more permanent.

1 Like
7

I thank you very much for trying to help me out.
In the meantime however, I gave up on docker bridge networks. I really don't want docker to mess around with FW settings. I completely switched to macvlan now, and it works surprisingly good, plus i have full control over IP and FW Rules.

2 Likes
8

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.