configuring the firewall

I’m trying to enable the firewall feature.

I’ve created a an extra container with iptables installed and set the firewall variable to ‘ON’.

  firewall:
    build:
      context: ./container-firewall
      dockerfile: ./Dockerfile.firewall
    network_mode: host
    restart: always
    cap_add:
      - NET_ADMIN

That seems to work, but I need some help with configuring the firewall.

  1. First issue. By default, other containers cannot resolve DNS anymore.

I want to lock down access from the LAN.

  1. the exposed docker ports to should only be accessable via the balena public url endpoints.
  2. I want also would like to lock down ssh access via LAN. It should only work via the balena ssh tunnel. (tunnel through tunnel).

any help would be appreciated

Hello @bas could you please confirm what other services are you running here? Is this an application we have on balenaHub?

Hi Mpous. It’s a custom stack. Various other services. non that use network_mode: host.

these is the output from the iptables --list and iptables-legacy --list

I’m not sure how to proceed with this. Is there any documentation/recommendation on how to modify these? Kind of stuck at the moment…

firewall  # Warning: iptables-legacy tables present, use iptables-legacy to see them
 firewall  Chain INPUT (policy ACCEPT)
 firewall  target     prot opt source               destination         
 firewall  
 firewall  Chain FORWARD (policy ACCEPT)
 firewall  target     prot opt source               destination         
 firewall  
 firewall  Chain OUTPUT (policy ACCEPT)
 firewall  target     prot opt source               destination         
 firewall  Chain INPUT (policy ACCEPT)
 firewall  target     prot opt source               destination         
 firewall  BALENA-FIREWALL  all  --  anywhere             anywhere            
 firewall  
 firewall  Chain FORWARD (policy DROP)
 firewall  target     prot opt source               destination         
 firewall  DOCKER-USER  all  --  anywhere             anywhere            
 firewall  DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 firewall  DOCKER     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 firewall  DOCKER     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 firewall  DOCKER     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  ACCEPT     all  --  anywhere             anywhere            
 firewall  
 firewall  Chain OUTPUT (policy ACCEPT)
 firewall  target     prot opt source               destination         
 firewall  
 firewall  Chain BALENA-FIREWALL (1 references)
 firewall  target     prot opt source               destination         
 firewall  ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
 firewall  ACCEPT     all  --  anywhere             anywhere             ADDRTYPE match src-type LOCAL
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:48484
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:48484
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:48484
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:48484
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:48484
 firewall  REJECT     tcp  --  anywhere             anywhere             tcp dpt:48484 reject-with icmp-port-unreachable
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:22222
 firewall  ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2375
 firewall  ACCEPT     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
 firewall  ACCEPT     icmp --  anywhere             anywhere            
 firewall  ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
 firewall  RETURN     all  --  anywhere             anywhere            
 firewall  REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
 firewall  
 firewall  Chain DOCKER (3 references)
 firewall  target     prot opt source               destination         
 firewall  ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:9222
 firewall  ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:5051
 firewall  
 firewall  Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 firewall  target     prot opt source               destination         
 firewall  DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
 firewall  DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
 firewall  DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
 firewall  RETURN     all  --  anywhere             anywhere            
 firewall  
 firewall  Chain DOCKER-ISOLATION-STAGE-2 (3 references)

Seems I’m on my own here. Reading a bit I found that the following it recommnended RUN update-alternatives --set iptables /usr/sbin/iptables-legacy.

In addition I discovered I can use ufw to enable and configure the firewall. That seems a lot less complicated :wink: so I’ll try that next.

Apologizes @bas I have been busy!

Did you fix your issue? Happy to read your solution!

Let me ask internally as well!

not really. I think this article/solution shows some issues around docker and iptables but I need to dive in.

It would be really appreciated if the balena org could disclose how to work with the firewall in an advised manner. Especially on how to block all incoming traffic except those coming from balena (public device url and ssh tunneling stuff).

Hi @mpous did you ever get around to asking this internally? I’ve create a script in a container that directly modifies the ip tables but is a bit iffy. It works bit sometimes after an update the tables get in an incorrect state and stuff stops working. A reboot reset the iptables.

I would love to know what Balena does to the tables exactly. Docker is also known to open up ports for services that exposes ports even if you don’t want that.