bas
February 13, 2024, 2:38pm
1
I’m trying to enable the firewall feature.
I’ve created a an extra container with iptables installed and set the firewall variable to ‘ON’.
firewall:
build:
context: ./container-firewall
dockerfile: ./Dockerfile.firewall
network_mode: host
restart: always
cap_add:
- NET_ADMIN
That seems to work, but I need some help with configuring the firewall.
First issue. By default, other containers cannot resolve DNS anymore.
I want to lock down access from the LAN.
the exposed docker ports to should only be accessable via the balena public url endpoints.
I want also would like to lock down ssh access via LAN. It should only work via the balena ssh tunnel. (tunnel through tunnel).
any help would be appreciated
mpous
February 13, 2024, 3:05pm
2
Hello @bas could you please confirm what other services are you running here? Is this an application we have on balenaHub?
bas
February 13, 2024, 5:07pm
3
Hi Mpous. It’s a custom stack. Various other services. non that use network_mode: host.
bas
February 14, 2024, 4:29pm
4
these is the output from the iptables --list and iptables-legacy --list
I’m not sure how to proceed with this. Is there any documentation/recommendation on how to modify these? Kind of stuck at the moment…
firewall # Warning: iptables-legacy tables present, use iptables-legacy to see them
firewall Chain INPUT (policy ACCEPT)
firewall target prot opt source destination
firewall
firewall Chain FORWARD (policy ACCEPT)
firewall target prot opt source destination
firewall
firewall Chain OUTPUT (policy ACCEPT)
firewall target prot opt source destination
firewall Chain INPUT (policy ACCEPT)
firewall target prot opt source destination
firewall BALENA-FIREWALL all -- anywhere anywhere
firewall
firewall Chain FORWARD (policy DROP)
firewall target prot opt source destination
firewall DOCKER-USER all -- anywhere anywhere
firewall DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
firewall DOCKER all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
firewall DOCKER all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
firewall DOCKER all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall ACCEPT all -- anywhere anywhere
firewall
firewall Chain OUTPUT (policy ACCEPT)
firewall target prot opt source destination
firewall
firewall Chain BALENA-FIREWALL (1 references)
firewall target prot opt source destination
firewall ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
firewall ACCEPT all -- anywhere anywhere ADDRTYPE match src-type LOCAL
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:48484
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:48484
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:48484
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:48484
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:48484
firewall REJECT tcp -- anywhere anywhere tcp dpt:48484 reject-with icmp-port-unreachable
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:22222
firewall ACCEPT tcp -- anywhere anywhere tcp dpt:2375
firewall ACCEPT all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
firewall ACCEPT icmp -- anywhere anywhere
firewall ACCEPT udp -- anywhere anywhere udp dpt:domain
firewall RETURN all -- anywhere anywhere
firewall REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
firewall
firewall Chain DOCKER (3 references)
firewall target prot opt source destination
firewall ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9222
firewall ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:5051
firewall
firewall Chain DOCKER-ISOLATION-STAGE-1 (1 references)
firewall target prot opt source destination
firewall DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
firewall DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
firewall DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
firewall RETURN all -- anywhere anywhere
firewall
firewall Chain DOCKER-ISOLATION-STAGE-2 (3 references)
bas
February 19, 2024, 10:51am
5
Seems I’m on my own here. Reading a bit I found that the following it recommnended RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
.
In addition I discovered I can use ufw to enable and configure the firewall. That seems a lot less complicated so I’ll try that next.
mpous
February 20, 2024, 5:08pm
6
Apologizes @bas I have been busy!
Did you fix your issue? Happy to read your solution!
Let me ask internally as well!
bas
February 24, 2024, 1:32pm
7
not really. I think this article/solution shows some issues around docker and iptables but I need to dive in.
It would be really appreciated if the balena org could disclose how to work with the firewall in an advised manner. Especially on how to block all incoming traffic except those coming from balena (public device url and ssh tunneling stuff).
bas
August 29, 2024, 7:48pm
8
Hi @mpous did you ever get around to asking this internally? I’ve create a script in a container that directly modifies the ip tables but is a bit iffy. It works bit sometimes after an update the tables get in an incorrect state and stuff stops working. A reboot reset the iptables.
I would love to know what Balena does to the tables exactly. Docker is also known to open up ports for services that exposes ports even if you don’t want that.