After starting dockerd these firewall rules (among others) are added
-A FORWARD -j DOCKER-USER # first rule for FORWARD chain
...
-A DOCKER-USER -i eth2 -o docker0 -m conntrack ! --ctstate RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
With this setup I haven’t found a way how to enable traffic from the internet to the container using configuration in /etc/config/firewall
Is this really impossible? Or did I miss something?
I have found a way how to achieve what I need by manually adding a rule into the firewall
I am after the same thing, I want to run a simple web server inside a docker container and expose it to the internet. I want to make sure the web server is secure and fully isolated. In principal I only want to run a simple static web page. Any idea? Anyone?
If I were you I would make sure you have set the docker to store data on external storage in /etc/config/dockerd like that you will prevent accidental wear of flash on Omnia. So for example to keep images in /srv and making sure you actually have external storage
One more thing, if an attacker gets inside my docker, he will have access to the local LAN. I checked that from within the container. How do I ‘jail’ my container network, so that one can only communicate to the Internet? Any idea? Thanks a bunch!
@hagrid of course I know next to nothing about the ISO/OSI model, firewalls, chains, iptables, ufw, NAT, ICMP, IP, TCP, UDP, routing, OSPF, CSMA/CD, Token Ring, Ethernet, port mapping, port knocking, proxies, reverse proxies, TTL, SSL/TLS, etc. etc.
My question was specific as to what exactly you propose to jail docker0 interface so that the docker container can only communicate with the WAN and not with the LAN. It’s not trivial. If you know better, let me know.
As I do know nothing about your docker setup, my response will be generic.
Create a firewall rule that blocks access from your docker container to LAN network.