Firewall Rules for Docker Containers?


Recommended Posts

I tired searching around, but couldn't find anything that really matched what I was looking for. If this has already been answered, please just point me there. 

 

I have created a custom docker network for my SWAG container. proxynetwork (172.18.0.0\24)

 

I have 3 containers in on the proxynetwork:

1. SWAG

2. Service 1 

3. Service 2

 

Service 1 and service 2 are reversed proxied with SWAG which is mapped to port 1443 on my unRAID server's LAN IP address and port 443 is port forwarded to SWAG via unRAID LAN IP.


What bothers me is if I SSH into any of the 3 containers on my proxynetwork I can access any other LAN resource. I'd like to firewall off those containers from accessing any LAN resource. Basically make a DMZ of sorts. 

 

Due to how unRAID NAT's the container network (proxynetwork) to the LAN subnet unRAID sits on (bridge mode), I am unsure I can make firewall rules at my router. Not to mention I'd prefer to lock it down inside unRAID if possible. I am looking in unRAID network settings and see the routing table, but no place to add in firewall rules/IP tables.

 

My only other thought is to create a DMZ VLAN, make unRAID VLAN aware and then put those containers in that VLAN somehow. I am not exactly sure of the process or if that will even achieve my goal.

 

Thanks.

Link to comment
11 hours ago, ati said:

I'd like to firewall off those containers from accessing any LAN resource. Basically make a DMZ of sorts. 

 

[...]

 

My only other thought is to create a DMZ VLAN, make unRAID VLAN aware and then put those containers in that VLAN somehow. I am not exactly sure of the process or if that will even achieve my goal.

...using VLANs (and hence using custom bridge networking for Dockers (brX.YY) on that/these VLANs) is the right (and only) way to achieve what you want.

By enabling VLANs on unRaid, the traffic on different (V)LANs will be kept separated in the routing table of the unraid host.

Hence you need a VLAN aware Switch and VLAN capable Router to achieve inter-VLAN communications afterwards (as all traffic between (V)LANs will have to pass through that Router and its firewall).

If you want to have/limit that feature on your unraid host only, you could think of just deploying a Router VM (pfsense/opensense/openwrt/mikrotik CHR) for that purpose.

But I'd recommend to do it all the way in hardware....especially mikrotik routers are very capable and come at a cost much less than a dedicated x86 box for pfsense/opnsense).

I am actually using VLANs and this as a router: https://mikrotik.com/product/rb4011igs_rm

One benefit of this is, that these router solutions allow you to safe you from deploying some Dockers, as these come with VPN capabilities, including wireguard "build in".

Also a dedicated router will safe you from trouble, should your unraid rig will go unter maintenance .... your friends and family won't be amused when some essential services drop ;-)

Link to comment
  • 2 months later...

Im thinking of something very similar so I’m curious to hear the route you ended up going.

I have a related question - even if we do set up the docker in its own VLAN, if it’s still accessing shares on the unRAID host (/mnt/user/appdata for example), the container would still have some sort of access to the host system correct? Unless I’m misunderstanding how it would work…

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.