Configuring firewalld for Docker Containers on Raspberry Pi (Nextcloud Example)

Introduction

Using Docker on Raspberry Pi is a powerful way to self-host services like Nextcloud. To maintain security, it’s important to control which ports and subnets can communicate using firewalld.

This tutorial walks you through setting up firewalld to work with Docker on a Raspberry Pi.

Prerequisites

• Raspberry Pi with Docker installed
• firewalld installed and running
• sudo access

Step 1: Restore Port Access (Example: Nextcloud)

If your Nextcloud service is unavailable, make sure the necessary port is open:

sudo firewall-cmd --permanent --zone=public --add-port=8181/tcp
sudo firewall-cmd --reload

Step 2: Create a Docker Zone and Assign Interface

Create a dedicated zone and assign Docker’s bridge interface (docker0) to it:

sudo firewall-cmd --permanent --new-zone=docker
sudo firewall-cmd --permanent --zone=docker --add-interface=docker0

Step 3: Allow Internal Container Communication

Allow Docker subnet and open necessary ports (e.g., MySQL for Nextcloud):

sudo firewall-cmd --permanent --zone=docker --add-source=172.18.0.0/24
sudo firewall-cmd --permanent --zone=docker --add-port=3306/tcp
sudo firewall-cmd --reload

Step 4: Verify Configuration

Check active zones and their interfaces:

sudo firewall-cmd --get-active-zones

Expected output:

docker
  interfaces: docker0
  sources: 172.18.0.0/24
public
  interfaces: eth0

Summary

You’ve now secured Docker container traffic on Raspberry Pi using firewalld. Key benefits:

Clear separation between internet-facing and internal traffic

Better control over which ports are open

Flexible zone-based management

Regularly review and adjust firewall rules as your setup evolves.