Integrating Docker with Firewalld: Managing Firewall Rules Without Iptables

Introduction

Docker has revolutionized the deployment of applications by encapsulating them in containers, fostering both isolation and scalability. By default, Docker interacts directly with iptables to configure networking settings for containers. However, this can create challenges when other firewall management tools like firewalld are in play. Firewalld is a dynamic firewall manager that handles network traffic using zones and services for a more granular control. For system administrators and network engineers, having a cohesive strategy for firewall management is crucial. This article guides you through the process of disabling Docker’s default iptables management and setting up firewall rules using firewalld for a more integrated and controlled network environment.

Disabling Docker’s Iptables Management

When Docker is set up, it automatically configures iptables rules to expose container ports and facilitate inter-container communication. However, this behavior can interfere with the existing firewall policies managed by firewalld, leading to potential security gaps or conflicting rules. To foster a more harmonious relationship between Docker and the system’s firewall, disabling Docker’s automatic iptables configuration is an essential step.

Step 1: Configure the Docker Daemon

To prevent Docker from modifying iptables automatically, you need to adjust the Docker daemon’s configuration. This involves editing or creating the JSON configuration file at /etc/docker/daemon.json to include the setting "iptables": false.

{
  "iptables": false
}

After updating the Docker configuration file, restart Docker to apply the changes:

$ sudo systemctl restart docker

With Docker restarted, it will no longer manage iptables rules. Now it’s time to configure firewalld to handle network traffic for Docker. Configuring Firewalld for Docker

To ensure that firewalld and Docker work together without iptables intervention, follow these steps:

Step 2: Define Firewalld Rules

Create custom firewalld rules to manage the network traffic of your Docker containers. This might involve adding specific ports or services to your firewalld zones.

For example, to add an HTTP service to the public zone, you would use:

$ sudo firewall-cmd --zone=public --add-service=http --permanent

Step 3: Reload Firewalld

Apply the new settings by reloading firewalld:

$ sudo firewall-cmd --reload

Monitoring with dmesg

Monitoring system logs can provide insights into how the system is handling the new firewall setup, especially after integrating Docker with firewalld. The dmesg command is useful for checking kernel logs.

To check for relevant logs, use:

$ sudo dmesg -T -w | grep -i REJECT

Here are some sample log entries that might indicate communication blocks between containers:

[Tue Oct 31 18:43:42 2023] filter_FWD_FedoraServer_REJECT: IN=br-e892c149b2fa OUT=... SRC=172.18.0.4 DST=172.18.0.2 LEN=60 TOS=0x00 TTL=64 PROTO=TCP SPT=33160 DPT=3306 ...

This command filters out dmesg output for entries related to blocked communications, which can help in identifying any kernel-level issues that may arise from the Docker and firewalld configuration. Summary

By disabling iptables management in Docker and configuring firewalld to manage the container’s network traffic, you create a more secure and streamlined environment. This setup provides better control over port exposure and service access, ensuring that Docker containers fit neatly into your system’s security framework. Regular monitoring with dmesg can help catch any underlying issues early, maintaining the integrity of your containerized applications.

Remember, these changes require careful planning and testing to ensure they fit into your network’s requirements and your specific Docker setup. Always back up your current firewall rules before making significant changes.