I am curious what would be the best way to achieve the subj.
Let say I am running container like this
docker run --rm -d -p 8080:80 nginx:1.23.3-alpine-slim
I want to keep in place the solution preventing docker to by-pass firewall in /etc/cofig/dockerd
so I don’t expose anything accidentally
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'
option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
After starting dockerd
these firewall rules (among others) are added
-A FORWARD -j DOCKER-USER # first rule for FORWARD chain
...
-A DOCKER-USER -i eth2 -o docker0 -m conntrack ! --ctstate RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
With this setup I haven’t found a way how to enable traffic from the internet to the container using configuration in /etc/config/firewall
Is this really impossible? Or did I miss something?
I have found a way how to achieve what I need by manually adding a rule into the firewall
iptables -I DOCKER-USER -i eth2 -o docker0 -d 172.17.0.2 -p tcp -m tcp --dport 80 -j RETURN
Would this be the right approach?