Docker, nginx and firewalld example

From BitFolk
Jump to navigation Jump to search

VPS Setup

See See Installing on BTRFS

Install Firewalld

root@host:~# apt install firewalld

Install Docker

For docker one needs the docker engine and docker compose. Both installation are documented on docs.docker.com. At the time of this writing for the engine it is Install Docker Engine on Debian and for docker compose Install the Compose plugin.

Since I do not want docker to use iptables I apply the configuration like stated below.

root@host:~# cat /etc/systemd/system/multi-user.target.wants/docker.service | grep iptables
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false

After altering docker.service I rebooted to apply the changes. To see the changes do a iptables -L before and after the reboot.

Run a nginx Container

root@host:~# docker run --name nginx1 -d nginx
root@host:~# docker ps | cut -d' ' -f1
CONTAINER
30d55f4783b1
root@host:~# docker container inspect 30d55f4783b1 | grep IPAddress
           "SecondaryIPAddresses": null,
           "IPAddress": "172.17.0.2",
                   "IPAddress": "172.17.0.2",

curl 172.17.0.2 will return a welcome message.

Firewalld Configuration

The docker containers reside in 172.17.0.0/16. So, the configuration below allows all containers to talk to the outside world.

root@host:~# firewall-cmd --permanent --zone=public \
--add-rich-rule='rule family="ipv4" source address=172.17.0.0/16 masquerade'
root@host:~# firewall-cmd --reload

Finally, with the configuration below the outside world is allowed to access nginx1.

root@host:~# firewall-cmd --permanent --zone=public \
--add-forward-port=port=80:proto=tcp:toport=80:toaddr=172.17.0.2
root@host:~# firewall-cmd --reload