Hello,
I'm running a standalone Atomic Registry system and I'm wondering how
to secure this with firewalld.
By default, the Docker containers that support this app listen on
ports 5000, 8443, and 9090.
Even though firewalld is running on my system, when I start the Atomic
Registry containers, I can reach those TCP ports directly. It seems
that Docker is inserting additional firewall rules to allow inbound
traffic apart from firewalld.
The Atomic Registry containers need to be able to contact each other
on the local host system, and send outbound traffic, but that is all.
I don't want anyone on the network to reach tcp/5000 directly, for
example.
How can I use firewalld to close off those ports from the internet?
The best option I've found so far is to add "--iptables=false" to
/etc/sysconfig/docker, and then use the following iptables commands:
# iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16
-j MASQUERADE
I'm not sure if those are the best ones, or what the firewall-cmd
equivalents would be?
Show replies by thread