Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 days ago.
Improve this question
I am trying to use fail2ban in a docker-container to block incoming connections to my nextcloud (also running in a docker container). However I only can get fail2ban to change the iptables of its own container and not the one of the docker host.
My current setup looks like this:
docker-compose
app:
image: nextcloud:latest
container_name: nextcloud_app
restart: always
ports:
- 7000:80
- 7001:443
...
fail2ban:
image: lscr.io/linuxserver/fail2ban:latest
container_name: nextcloud_fail2ban
network_mode: host
restart: always
environment:
- PUID=1000
- PGID=1000
volumes:
- ./data/fail2ban:/config
- ./data/nextcloud/data:/var/log:ro # the directory of the nextcloud log
cap_add:
- NET_ADMIN
- NET_RAW
jail.d/nextcloud.conf
[nextcloud]
enabled = true
port = 80,443,7000,7001
protocol = tcp
filter = nextcloud
Tlogpath = /var/log/nextcloud.log
maxretry = 3
bantime = 86400
findtime = 14400
# banaction = docker-action
# chain = DOCKER-USER
# action = iptables[actname=iptables-input, name=HTTPS, port=https, protocol=tcp]
# iptables[actname=iptables-forward, name=HTTPS-DOCKER, chain=FORWARD, port=443, protocol=tcp]
This results in the iptables correctly set on the fail2ban container (e.g. ban 192.168.1.125):
root#grievous:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-nextcloud
-A INPUT -p tcp -m multiport --dports 80,443,7000,7001 -j f2b-nextcloud
-A f2b-nextcloud -s 192.168.1.125/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -j RETURN
but the host iptables stay unchanged. This doenst help me much since I dont want to block the traffic to the fail2ban container but instead to the nextcloud container (or in general all incoming traffic from the banned ip address to the docker host).
I looked online for some solutions but was not able to set the puzzle together. I think I have to use the DOCKER-USER chain. However when using it no iptables were created.
Some suggest to install fail2ban baremetal, which I don't want.
I also tried using a docker-action.conf which I found but this didn't help either, since it also creates the iptables on the fail2ban container
[Definition]
actionstart = iptables -N f2b-npm-docker
iptables -A f2b-npm-docker -j RETURN
iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
iptables -F f2b-npm-docker
iptables -X f2b-npm-docker
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-npm-docker[ \t]'
actionban = iptables -I f2b-npm-docker -s DROP <ip >-j
actionunban = iptables -D f2b-npm-docker -s DROP <ip >-j
So I guess my problem/question is on how to tell fail2ban to install the iptables on the docker host instead of its own container. Mabye I have to change the network_mode?
Any help is highly appreciated =)
Related
I am running a Wireguard server from a VPS provider. What I want to achieve is to be able to route specific internet traffic (ports 10000:11000 are set to accept traffic from the VPS firewall) from VPN to my Docker containers at home server.
[Internet] <-> [Wireguard 10.100.0.1] <-> [Home Server 10.100.0.2 (Docker Containers)]
Details:
Wireguard Server
OS: Ubuntu 20.04.2 LTS
iptables post up/down rules from wg0.conf:
iptables -A FORWARD -i eth0 -j ACCEPT;
iptables -t nat -A PREROUTING -p tcp --dport 10000:11000 -j DNAT --to-destination 10.100.0.2;
iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
sysctl -p:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
Home Server
OS: Ubuntu 20.04.2 LTS (Desktop)
systemd-networkd (.network file for wireguard interface) configuration:
[Match]
Name = wguard
[Network]
Address = 10.100.0.2/32
[RoutingPolicyRule]
From = 10.200.0.0/16
Table = 250
[Route]
Gateway = 10.100.0.2
Table = 250
[Route]
Destination = 0.0.0.0/0
Type = blackhole
Metric = 1
Table = 250
I created a Docker network in 10.200.0.0/16, and containers are using using this network. Docker containers return the VPN ip address when I check it with curl.
Home server returns my home ip address with a plain curl query; but it returns VPN ip address via wireguard interface.
My problems:
I cannnot ping the VPN host from home server, but I can ping other VPN clients. Also I can ping the VPN host from inside the containers, which is strange.
Port forwarding from the VPN to containers does not work properly.
Example docker-compose:
version: "3.7"
services:
rutorrent:
container_name: rutorrent1
image: romancin/rutorrent:latest
networks:
- wireguard0
ports:
- "10010:51415"
- "10011:80"
- "10012:443"
environment:
- PUID=1000
- PGID=1000
volumes:
- /home/user/Downloads/rutorrent/config:/config
- /home/user/Downloads/rutorrent/downloads:/downloads
networks:
wireguard0:
external: true
I would appreciate if you could at least point me to the part where I am doing wrong. I think my iptables rules have missing lines but I couldn't find a good reference or a book to fully understand how to set it properly.
Thanks
I have init a swarm with 1 manager and 1 worker, each on a different hosts, following the official tutorial. I also use Traefik, following these instructions on dockerswarm.rocks, using simply overlay network created with:
docker network create --driver=overlay traefik-public
Now I deploy a service of mine, which has to access the Internet.
While this works well when the service is deployed on the manager node, it fails in the worker node.
docker-compose.yml
version: '3.5'
services:
export-phyc:
image: my.docker.registry/my/image
networks:
- traefik-public
deploy:
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.routers.myservice-http.rule=Host(`my.domain`)
- traefik.http.routers.myservice-http.entrypoints=http
- traefik.http.routers.myservice-http.middlewares=https-redirect
- traefik.http.routers.myservice-https.rule=Host(`my.domain`)
- traefik.http.routers.myservice-https.entrypoints=https
- traefik.http.routers.myservice-https.tls=true
- traefik.http.routers.myservice-https.tls.certresolver=le
- traefik.http.services.myservice.loadbalancer.server.port=80
networks:
traefik-public:
external: true
Both hosts have the same DNS conf:
# cat /etc/resolv.conf
domain openstacklocal
search openstacklocal
nameserver 213.186.xx.xx
Both tasks has the same DNS conf too (but not the same as the hosts):
# docker container exec <my-container-id> cat /etc/resolv.conf
search openstacklocal
nameserver 127.0.0.xx
options ndots:0
And yet, the task on the manager can reach the internet:
# docker container exec <my-container-id> wget google.com
Connecting to google.com (216.58.215.46:80)
Connecting to www.google.com (216.58.206.228:80)
saving to 'index.html'
index.html 100% |********************************| 13848 0:00:00 ETA
'index.html' saved
and the task on the worker cannot:
# docker container exec <my-container-id> wget google.com
wget: bad address 'google.com'
# docker container exec <my-container-id> wget 216.58.204.142
Connecting to 216.58.204.142 (216.58.204.142:80)
wget: can't connect to remote host (216.58.204.142): Operation timed out
I am most confused. How do I get the tasks on my worker node to access the internet?
So the problem was with my firewall (iptables) messing around with the rules set by Docker. I indeed need to implement my own rules (launched at reboots), and Docker has to set its internal communication rules (set everytime the docker daemon restarts).
I'm not a connoisseur of iptables, I just got one supposed to deal well with Docker Swarm, but one line was missing in it:
-A DOCKER-USER -j RETURN
Example iptables rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT -j FILTERS
-A DOCKER-USER -i eno1 -j FILTERS
-A DOCKER-USER -j RETURN
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow 80 and 443
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
###### System
# Allow SSH connections
-A FILTERS -p tcp --dport 22 -j ACCEPT
# Docker SWARM cluster connections
-A FILTERS -p tcp --dport 2377 -j ACCEPT
-A FILTERS -p tcp --dport 7946 -j ACCEPT
-A FILTERS -p udp --dport 7946 -j ACCEPT
-A FILTERS -p udp --dport 4789 -j ACCEPT
###### Rules home
# ...
###### end
-A FILTERS -j REJECT --reject-with icmp-host-prohibited
COMMIT
I have an issue in regards to my iptables setup. My goal is to reach the https based webserver inside a docker container from the server machine itself.
The setup is the following:
The server is connected to the internet via eth0 and serves http via port 443.
Any users from the outside (internet) reach the server via the ip address 1.2.3.4.
It is connected to the internal network via eth1 and serves dhcp, dns and some more services.
Any users from the inside (intranet) reach the server via the ip address 10.0.0.1.
The docker container is connected via docker1 on the server. The later has the ip address 10.8.0.2 inside the docker network.
The docker container serves the webserver on port 1443, but iptables forwards (NAT) requests on port 443 to its address 10.8.0.1 and the destination port 1443.
What is working:
The webserver is perfectly reachable from the internet and the intranet.
The webserver can be reached from the server itself using the address 10.8.0.1:1443.
What is not working:
Any client which is working directly on the server can not reach the docker webserver using https://example.com:443. Using https://10.8.0.1:8443 would work, but fails due to a certificate error. It is not a goal to skip the certificate check as a workaround.
Excerpt of the iptable configuration:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i docker1 -o docker1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 443 -j DNAT --to-destination 10.1.0.1:1443
iptables -A FORWARD -o docker1 -p tcp --dport 1443 -j ACCEPT
iptables -A INPUT -i docker1 -j DROP
iptables -A FORWARD -i docker1 -j DROP
Due to that "complicated" setup I am no longer able to understand which of the iptable rules and chains need to be applied to make this work so I am seeking for your help to solve that issue.
Brainstorming about the issue using a simplified model and my understanding of the iptable chains the way of the packages might/should look like this:
Origin is a local application (wget).
The packages go through the OUTPUT table.
The packages go through the POSTROUTING table.
Magic happens...
The packages arrive again in the PREROUTING table.
The packages might go trough INPUT again.
The packages might arrive at the target application (webserver).
If I type iptables -L there is this line in the output :
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http-alt
My container is exposed publicly and I can request a dummy http server from everywhere (tested). I try to remove that rule so only 80 is only exposed inside my server (localhost:80). I tried :
root#ns25252:~# iptables -D DOCKER --destination 172.17.0.2 -p tcp --dport 80 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
As the error implies, it can't find the matching rule.. How should I type to remove the line ?
It's usually easier to delete by number, unless there is a chance that the number could change between the time you listed the rules and the time you delete the rule.
Here's how to delete by line number:
# iptables -L --line-numbers
(snip)
Chain DOCKER (2 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http
(snip)
# iptables -D DOCKER 1
Alternatively, you can get the full specification by doing iptables -S. Example:
# iptables -S
(snip)
-A DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
(snip)
Turn the -A into a -D and use this as the args to iptables to delete the rule:
# iptables -D DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
NOTE: This answer perplexingly still gets upvotes from time to time. I have no idea what everyone is trying to actually accomplish, I just blindly answered an iptables-related question. If you want to start a Docker container that is not accessible to the outside world, that's an entirely different topic, and this is not an appropriate answer in your case. (Maybe start by not exposing/publishing the port.)
This is a bit old but in case someone else is looking for how to remove docker completely from your iptables rules here's how I did it, also keep in mind this is on debian so your files/paths may differ.
edit your /etc/iptables.up.rules file, back up file then remove everything with docker in it - there may also be a few additional lines with the local docker subnet (mine was 172.17.x and 172.19.x) - remove them all
flush iptables: iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -F
reload iptables rules: iptables-restore < /etc/iptables.up.rules
verify/check your rules: iptables -L -n (should no longer have any docker chains or rules)
If you have deleted the docker package than just restart iptables service and it will deleted default docker iptables-
systemctl restart iptables.service
I can't get logspout to connect to papertrail. I get the following error:
!! lookup logs5.papertrailapp.com on 127.0.0.11:53: read udp 127.0.0.1:46185->127.0.0.11:53: i/o timeout
where 46185 changes every time I run the container. It seems like a DNS error, but nslookup logs5.papertrailapp.com gives the expected output, as does docker run busybox nslookup logs5.papertrailapp.com.
Beyond that, I don't even know how to interpret that error message, let alone address it. Any help debugging this would be hugely appreciated.
My Docker Compose file:
version: '2'
services:
logspout:
image: gliderlabs/logspout
command: "syslog://logs5.papertrailapp.com:12345"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
sleep:
image: benwhitehead/env-loop
Where 12345 is the actual papertrail port. Result is the same whether using syslog:// or syslog-tls://.
From https://docs.docker.com/engine/userguide/networking/configure-dns/:
the docker daemon implements an embedded DNS server which provides built-in service discovery for any container
It looks like your container is unable to connect to this DNS server. If your container is on the default bridge network, it won't reach the embedded DNS server. You can either set --dns to be an outside source or update /etc/resolv.conf. It doesn't sound like a Papertrail issue, at all.
(source)
Docker and iptables got in a fight. So I spun up a new machine, failed to set up iptables, and the problem was solved: no firewall at all to get in the way of Docker's connections!
Just kidding, don't do that. I got a toy database hacked that way.
Fortunately, it's now relatively easy to get iptables and Docker to live in harmony, using the DOCKER_USER iptables chain.
The solution, excerpted from my blog:
Configure Docker with iptables=true, and append to iptables configuration:
iptables -A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A DOCKER-USER -i eth0 -j DROP