How to protect iptables when we use docker-compose

How to protect iptables when we use docker-compose. By default docker dynamically add some rules to iptables and you can't flush or manage firewall as usual. I sow many solutions, like save current docker rules and after returning back... I don't think it is a good idea... If docker can't deal with FW - we need free him from this task. Here about docker-compose demonization with systemd.


No manage iptables anymore 
# cat /etc/docker/daemon.json 
{  "log-driver": "journald",  "iptables": false}

Static NAT configuration 
#!/bin/sh

/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o docker0 -j MASQUERADE -t nat
/sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o eth0 -j MASQUERADE -t nat

/sbin/iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
/sbin/iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

How configure docker-compose.yml (version 3 it's very important) 
version: '3'
...
networks:
  default:
    driver: bridge
    driver_opts: {com.docker.network.enable_ipv6: 'false'}
    ipam:
      config:
      - {subnet: 10.100.0.1/24}
      driver: default
...
services:
  nginx-d1:
    container_name: nginx-d1
    hostname: nginx-d1
    image: nginx:1.14
    links: [fluentd, php-d1]
    logging:
      driver: fluentd
      options: {tag: nginx-d1}
    ports: ['443:443', '80:80']
    volumes: [
      '/data/code:/code', 
      '/srv/docker-compose/configs/nginx-d1/conf.d:/etc/nginx/conf.d'
    ]
...

Comments

Post a Comment

Popular posts from this blog

FreeRadius and Google Workspace LDAP

This is the first time when I used FreeRadius, this program reminds me of Postfix, I mean similar complicated and powerful tool. Only one big difference - very bad documentation and not enough examples. In the maillists a lot of questions without answers from FreeRadius guru. Here I provided examples of how I solved some problems or where I took too much time…
Read more

pssh (parallel-ssh) problems on Debian 10 with Python 3.7

Python reminds me of PHP many years ago with totally incompatible versioning on one server. Do you need another version? The best way - new servers, because any update or installation can break all global environments. Half a year after “Sunsetting Python 2” but main distributions continue to push python2 during installation and it’s a big challenge not to replace the default version after some update or installing a new package.
Read more