Integrating Docker with firewalld for System-wide Firewall Control

Introduction

Docker has revolutionized application deployment by encapsulating services in containers. However, it manages iptables rules directly, which can conflict with tools like firewalld that are used for more centralized firewall management.

In this guide, we’ll walk through how to disable Docker’s built-in iptables manipulation and instead configure firewalld to manage container network traffic for better control and security.

Step 1: Disable Docker’s Iptables Management

Docker automatically inserts its own iptables rules, which can interfere with firewalld. To prevent this:

Edit or create the Docker daemon configuration file:

// /etc/docker/daemon.json
{
  "iptables": false
}

Restart Docker:

sudo systemctl restart docker

Docker will now stop inserting its own firewall rules.

Step 2: Configure firewalld for Docker Traffic

You must now create the necessary rules in firewalld.

Example: Allow HTTP traffic on public zone

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

Optional: Create a dedicated zone for Docker traffic

You can assign docker0 or other bridge interfaces to a new zone:

sudo firewall-cmd --permanent --new-zone=docker
sudo firewall-cmd --permanent --zone=docker --add-interface=docker0

Step 3: Monitor with dmesg

Use dmesg to watch for REJECT entries that can indicate blocked traffic:

sudo dmesg -T -w | grep -i REJECT

Sample output:

[Tue Oct 31 18:43:42 2023] filter_FWD_FedoraServer_REJECT: IN=br-... SRC=172.18.0.4 DST=172.18.0.2 ...

Summary

By disabling Docker’s iptables and managing traffic through firewalld, you:

Avoid conflicts between Docker and other firewall tools

Gain centralized control over ports and services

Improve visibility and auditing using system logs

Always test firewall changes carefully and back up configurations.