Docker, nginx and firewalld example
Jump to navigation
Jump to search
VPS Setup
See See Installing on BTRFS
Install Firewalld
root@host:~# apt install firewalld
Install Docker
For docker one needs the docker engine and docker compose. Both installation are documented on docs.docker.com. At the time of this writing for the engine it is Install Docker Engine on Debian and for docker compose Install the Compose plugin.
Since I do not want docker to use iptables I apply the configuration like stated below.
root@host:~# cat /etc/systemd/system/multi-user.target.wants/docker.service | grep iptables ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false
After altering docker.service I rebooted to apply the changes. To see the changes do a iptables -L before and after the reboot.
Run a nginx Container
root@host:~# docker run --name nginx1 -d nginx root@host:~# docker ps | cut -d' ' -f1 CONTAINER 30d55f4783b1 root@host:~# docker container inspect 30d55f4783b1 | grep IPAddress "SecondaryIPAddresses": null, "IPAddress": "172.17.0.2", "IPAddress": "172.17.0.2",
curl 172.17.0.2 will return a welcome message.
Firewalld Configuration
The docker containers reside in 172.17.0.0/16. So, the configuration below allows all containers to talk to the outside world.
root@host:~# firewall-cmd --permanent --zone=public \ --add-rich-rule='rule family="ipv4" source address=172.17.0.0/16 masquerade' root@host:~# firewall-cmd --reload
Finally, with the configuration below the outside world is allowed to access nginx1.
root@host:~# firewall-cmd --permanent --zone=public \ --add-forward-port=port=80:proto=tcp:toport=80:toaddr=172.17.0.2 root@host:~# firewall-cmd --reload