Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionPasi Karkkainen
2019-02-19 19:25:39 UTC
Description of problem:
Currently docker in rhel7 does not allow easy way of limiting/filtering access to container exposed ports by source IP. This is because docker directly manages the iptables rules for containers, which docker adds as the first rules in the iptables FORWARD chain, before any firewalld rules. Rules added by docker always allow "any" (0.0.0.0) as the source IP, so all container ports are exposed to the whole world.
If the user changes those generated rules or the rule order manually, they are overiden by next docker daemon restart. So currently it's quite painful to do any IP limitations/filtering for docker containers.
docker-ce version 17.06 has added support for "DOCKER-USER" iptables custom chain, which docker loads before any other firewall rules it generates, and docker doesn't clear the contents of "DOCKER-USER" chain either, so it's the easy way of firewalling/blocking access to the container exposed ports.
More info: https://unrouted.io/2017/08/15/docker-firewall/
and docker documentation: https://docs.docker.com/network/iptables/
"If you need to add rules which load before Docker’s rules, add them to the DOCKER-USER chain. These rules are loaded before any rules Docker creates automatically."
Version-Release number of selected component (if applicable):
docker in rhel7
How reproducible:
always
Steps to Reproduce:
1. Run any container with docker exposing some port(s).
2. Notice how docker adds firewall rules on top of the iptables FORWARD chain.
3. Change the iptables rules by hand, restart docker, and notice how docker has again added it's own rules as the first rules in FORWARD chain, preventing easy firewalling/limiting access to container exposed ports.
Additional info:
https://github.com/docker/libnetwork/pull/1675https://github.com/docker/docker.github.io/pull/3554