We’ve a multi-container setup in mind and would like to see if you think this is possible. Schematically it looks like this:
Container 1 is an application which can be in network bridge mode with maybe some ports forwarded Container 2 needs network in the host mode Container 3 will be running ZeroTier to provide external access and it will have the task to control the firewall of the host.
The focus of this question is container 3 and its interaction with the host system. ZeroTier will create an additional network interface. All traffic is allowed to go over this network interface. We will be running this on a NUC which has both WiFi and Ethernet. What we want to do is restrict all inbound and outbound traffic on these two network interfaces to prevent any access to container 2 through these interfaces by using a firewall.
However we want to have something like a webserver running in container 3 which can be accessed through the WiFi and Ethernet and behind some password protected menu have the option to (temporarily) remove the firewall rules that block inbound and outbound traffic (basically to do onsite maintenance when no internet connection is provided and ZeroTier won’t work).
Questions:
Do you think this solution will work, do you see other solutions?
Will we be able to set this up in Balena?
Do we need to use iptables as I read in some other posts (it seems to very old?) as firewall rules?
Hi, since container 2 and 3 will be run in host networking mode, they will practically have the same characteristics as applications running on the host OS. You may need to elevate certain privileges as well, either by allowing the whole container to run in privileged mode or by higher level of granularity by adding capabilities such as NET_ADMIN (more recommended).
This is the first time I encouter ZeroTier. I looked at its documentation and googled it for a while and from what I can tell it will not interfere with NetworkManager that we use for networking configuration in the host OS. NetworkManager is the most popular network configuration management application for Linux and distributions like Ubuntu are using it by default. By looking at articles about ZeroTier and Ubuntu I think you should be all fine.
We have customers that are using their own VPN solution next to our own VPN service that accesses our balena services and you should be fine with such an approach, e.g. using ZeroTier.
For the firewall iptables is indeed needed. iptables is utility that provides access to the firewall tables of the kernel. This means that you will be directly modifying the networking rules for filtering inside the kernel.
There are alternative utilities that modify the kernel tables similar to iptables, but they also do the same thing - modify the kernel tables. Apart from reading tutorials I recommend the iptables flow diagram, which provides nice visual reference for how everything is related to one another: https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/
It will be good to do some research for common firewall techniques under Linux. For example one common technique is allowing access to certain ports for certain IP addresses or dynamic hostnames. With the dynamic hostname let’s say that your maintenance administrator needs to access the device even from a remote location. You may supply him with a dynamic DNS hostname like maintainance-person-01.noip.com. He will run the noip service on his laptop and the noip hostname will always points to his laptop’s external IP, no matter whether he changes networking locations. On the device you may run a script that periodically updates the iptables rules to allow accessing certain services only from the IP address that matches that dynamic hostname of the administrator.
Another common technique is port-knocking, where you need to poke certain ports in certain order for the firewall rule to be lifted. What is interesting is that those techniques could be combined. I shared those with you since there are lots of smart ways to protect a device and you may protect your devices well without complex efforts.
Please let us know if you have further questions or if you need additional information.