I have setup a pi-hole docker container and exposed the dns ports and port 80 on CentOS7. However the ports are available for all sources now which is not very handy since its running on a VPS.
So I am trying to have firewallD filter the traffic going to my docker container.
So my docker container is running as followed:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
18881454da0c pihole/pihole:latest "/s6-init" 24 hours ago Up About an hour (healthy) 0.0.0.0:53->53/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:53->53/udp pihole
on firewallD I have setup the following acl(traffic going to CentOS is filtered fine by this):
sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="<home ip>/32" accept
And I have set the docker0 interface to zone public:
sudo firewall-cmd --permanent --zone=public --change-interface=docker0
sudo firewall-cmd --get-active-zones
public
interfaces: docker0
But when I do a portscan from internet I still see all docker-exposed ports.
I can solve this using iptables commands:
sudo iptables -N CUSTOM_PIHOLE
sudo iptables -A CUSTOM_PIHOLE --source <home ip> --destination 172.17.0.2 -j ACCEPT
sudo iptables -R DOCKER 1 --source 0.0.0.0/0 --destination 172.17.0.2 -j CUSTOM_PIHOLE
sudo iptables -D DOCKER 3
sudo iptables -D DOCKER 2
But then when firewallD reloads this config is lost.
Is there a way to filter traffic to the docker-container using firewallD?
Found the answer. see the following links: