Docker & Shorewall
I'm using Shorewall on my server as simple standalone firewall and would like to use Docker as well.
By using a Docker container and its port redirection docker sets up its own iptables rules/chains which will be killed if shorewall is restarted. So the container will become unreachable.
Does anyone managed to save/restore the docker rules upon a shorewall restart or does anyone have another workaround?
See also:
- Shorewall Mailinglist with similar question
- GitHub Issue #2801 @ dotcloud/docker
Solution 1:
The following configuration changes should ensure traffic flow between Docker and the Shorewall host. Tested on Shorewall 4.5.21.9 but should apply to most recent versions:
/etc/shorewall/shorewall.conf
Make sure IP forwarding is enabled (most config items are Yes/No, but this one is "On"):
IP_FORWARDING=On
/etc/shorewall/masq
Enable masquerading (NAT) for your private Docker network (if you use a different network, i.e. you launch docker with --bip=#.#.#.#/#
, then change accordingly). Change eth0
to any interface on the host machine with external connectivity:
#INTERFACE:DEST SOURCE
eth0 172.17.0.0/16
/etc/shorewall/interfaces
Add an interface entry so Shorewall knows which interface the dock
zone relates to:
#ZONE INTERFACE OPTIONS
dock docker0
/etc/shorewall/zones
Create a new zone; note, docker
is too long and will cause an "invalid zone name" error.
#ZONE INTERFACE
dock ipv4
/etc/shorewall/policy
You probably want to allow Docker containers to talk to the host machine and the Internet, so this is a good starting point:
#SOURCE DEST POLICY
# ...(other policies)...
dock all ACCEPT
# ...(other policies, catch-all)...
You may also need a similar ACCEPT
policy for traffic from fw
to dock
, if you didn't already open it up with fw
to all
.
You can tighten this up further in the policy or rules files as needed. For example, the above does not explicitly allow outside traffic to reach your Docker containers; check your other zones/policies/rules for that.
Solution 2:
Since Docker introduced its network isolation feature, the other solutions mentioned here are no longer sufficient if you want to use custom networks. Shorewall 5.0.6 introduces support for Docker including Docker networks. This:
- Allows shorewall and docker to be started/stopped/restarted in any order
- Avoids the need for maintaining an extension script
Solution 3:
Just figured it out on my box. Make sure /etc/shorewall.conf has:
IP_FORWARDING=Yes
Docker relies on forwarding, and I spaced that 'puppet' sets it to 'No' on all my servers.
Update: You probably also need to masquerade traffic coming from docker out your WAN interface.
Edit /etc/shorewall/masq
and you'll need a line similar to:
br0 172.17.0.0/12
In this case, my WAN interface is actually br0 (a bridge), but yours will probably be something like eth0. (Use ifconfig
to see your interfaces and their IP addresses). On my machine docker uses 172.17.0.0/24 which is an RFC1918 private address range. This may differ on other systems, but you can see the range by using ifconfig
once again to look for the interface docker0
.