can someone explain why I cannot forward packages to a NFQUEUE inside a docker container. My goal is to setup a NFQ based network inspection inside a container. The rule will be added but just ignored. If someone is interested – here I created a PR for SNORT setup with NFQ inline configuration => https://github.com/cfinkelstein/myownlab/pull/1. ..
I have setup: Rancher (1.6.30) and Docker (18.09.9). When I create a rancher cluster from docker-compose: version: ‘2’ services: mongo: image: mongo:4.4.2 stdin_open: true volumes: – /var/lib/mongo/data/db:/data/db tty: true ports: – 27017:27017/tcp app1: image: XX stdin_open: true tty: true ports: – 10503:80/tcp labels: io.rancher.container.pull_image: always app2: image: XX stdin_open: true tty: true ports: – 10504:8080/tcp ..
I’m running a dockerized app on an ubuntu machine. It’s a test environment so I want to limit acces to a few IP addresses. I use the following iptables rules: iptables -I DOCKER-USER -p tcp –dport 80 -j REJECT iptables -I DOCKER-USER -p tcp –dport 443 -j REJECT iptables -I DOCKER-USER -p tcp –dport 3306 ..
I’m trying to expose my nginx service to the vpn network without any restrictions. I set up a Nginx docker container with dockerfile as follows: FROM nginx COPY ./docs/build/html /usr/share/nginx/html and then ran docker with: docker build -t my_image . docker run –name cnt_name -d -p 8082:80 my_image While it works pretty well on localhost ..
Docker – modifying IPTABLES for host from container ^ Basically my question is essentially the same as this one, except for one detail. When I followed the answer above, it worked great when I was using the debian base image. But now I have switched my base image to alpine instead. Why did this stop ..
I have a mailserver in a docker container. Fail2ban is installed on the host with this configuration : [DEFAULT] protocol = all [postfix-aggressive] enabled = true chain = DOCKER-USER port = 0:65535 logpath = /my/path/to/mail.log filter = postfix[mode=aggressive] Fail2ban rules work, and bot IPs are detected, but they do not seems to be realy banned ..
According to the docker docs (emphasis mine): On Linux, Docker manipulates iptables rules to provide network isolation. While this is an implementation detail (…) you should not modify the rules Docker inserts into your iptables policies … and It is possible to set the iptables key to false in the Docker engine’s configuration file at ..
I realized that recently docker add integration with firewalld and I just want to setup my server using firewalld instead of iptables boring rules and chains. This is my docker zone output: [email protected]:~# sudo firewall-cmd –zone=docker –list-all docker (active) target: DROP icmp-block-inversion: no interfaces: br-0a659f93a5b6 br-be2e44b2b069 docker0 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: ..
I want to control which external IP is used to send traffic from my swarm containers, this can be easily used with a bridge network and iptables rules. This works fine for local-scoped bridge networks: docker network create –driver=bridge –scope=local –subnet=188.8.131.52/16 -o "com.docker.network.bridge.enable_ip_masquerade"="false" -o "com.docker.network.bridge.name"="my_local_bridge" my_local_bridge and on iptables: sudo iptables -t nat -A POSTROUTING ..
I am using docker chain documented here https://docs.docker.com/network/iptables/ to block incoming traffic from public interface except from one IP. iptables -I DOCKER-USER -i eno1 ! -s X.X.X.X -j DROP The side effect of this is that outgoing traffic from container to the rest of the world is also dropped. How to block incoming and allow ..