Shorewall with docker

Solution 1:

This is related to docker swarm mode, it creates a DOCKER-INGRESS rule chain, that is not managed by shorewall. As far I can tell, nobody asked for adding that rule chain management in shorewall. There should be a workaround for this, like skipping, or saving/restoring a chain by name in shorewall, like this

Solution 2:

Officially, Docker swarm is not supported by Shorewall:

Beginning with Shorewall 5.0.6, Shorewall has native support for simple Docker configurations. ... Shorewall currently doesn't support Docker Swarm mode.

You may have some luck as I have with the approach described here. My shorewall rules are too strict, so I had to tweak the script listed in the comments of that article with one that prepends rules.

The workaround is to create two files, /etc/shorewall/init and /etc/shorewall/stop, with this content:

rules=/etc/shorewall/.docker_rules
if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' > $rules
    iptables -t nat -S | grep -i docker > $rules.nat
    grep '^-N' $rules.nat >> $rules
    tac $rules.nat | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.nat
    echo 'COMMIT' >> $rules

    echo '*filter' >> $rules
    iptables -t filter -S | grep -i docker > $rules.filter
    grep '^-N' $rules.filter >> $rules
    tac $rules.filter | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.filter
    echo 'COMMIT' >> $rules
fi

Then you create /etc/shorewall/start with this content:

rules=/etc/shorewall/.docker_rules
if [ -f $rules ]; then
    iptables-restore -n < $rules
    rm -f $rules
fi

If you try this, I must really repeat the warnings about rules/scripts from the net: You should carefully review the resulting iptables rules to ensure you have not exposed your network unnecessarily and that the rules work as expected.