firewalld and docker

Support for security such as Firewalls and securing linux
Post Reply
afonsodev
Posts: 1
Joined: 2019/11/20 10:09:34

firewalld and docker

Post by afonsodev » 2019/11/20 10:28:59

Hello all,

I've just installed docker on a CentOS host to run CKAN within containers.

The containers need to comunicate between them and only after running the following comand, I had success:

Code: Select all

firewall-cmd --set-default-zone=trusted
The host is not exposed to Internet yet, but it will be.

Before running the above command, this was the error when a container tried to connect to another container with PostgreSQL:

Code: Select all

ckan          | sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not connect to server: No route to host
ckan          |         Is the server running on host "db" (172.18.0.3) and accepting
ckan          |         TCP/IP connections on port 5432?
ckan          |
ckan exited with code 1
See the message "no route to host".

My question is. I want to set back the firewall to the public as default zone. What commands do I have to run to make the containers comunicate between them.

Here is the current firewalld config. Thanks!

Code: Select all

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule priority="32767" reject

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http https ssh
  ports: 5000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0 ens160
  sources:
  services:
  ports: 5000/tcp 5432/tcp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

User avatar
KernelOops
Posts: 102
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: firewalld and docker

Post by KernelOops » 2019/11/20 11:54:27

Sounds like you need to open port 5432/tcp like you've done to the trusted zone.

But you need to be sure that this is the correct way, because everyone on the internet will be able to access that port. If its to be used between containers, then maybe its not meant to be open to the public?
--
I love my computer - all my friends live there.
--

Post Reply

Return to “CentOS 8 - Security Support”