Had hard times with firewalld
and Docker
#3433
sneko
started this conversation in
Improvements
Replies: 1 comment
-
Just to add that at the end I stopped using |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I wanted to rely on
firewalld
instead of directly withiptables
(so I disabled it from Docker). No egress traffic was going out of Docker for whatever reason.On my VPS I did all my tests with:
docker run --rm curlimages/curl https://curl.se/
The only thing to make it working was:
sudo firewall-cmd --permanent --zone=docker --add-interface=docker0 firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address=172.17.0.0/16 masquerade' firewall-cmd --reload
But I struggled understanding why all my containers managed by Coolify didn't benefit from this fix. In fact all Coolify containers are in a dedicated network (that is not the
bridge
network, the default from Docker). And it uses a random interfacebr-xxxx
that you can find withip link show
. It has some differences over thedocker0
interface used bybridge
(information like IP range can be found by usingdocker network inspect bridge
anddocker network inspect coolify
).So the solution was to do the same for the other interface:
sudo firewall-cmd --permanent --zone=docker --add-interface=br-xxxxxx firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address=172.18.0.0/16 masquerade' firewall-cmd --reload
And it's working! I could verified it with
docker run --rm --network coolify curlimages/curl https://curl.se/
.I post this for record because I lost a few hours struggling with this. I don't know if @andrasbacsai you are more expert with
firewalld
, but maybe having your thoughts, or an example how to do it better would help? Maybe Coolify could have a fixed interface name so it's easy by default to preconfigure the server?PS: I posted on https://forums.docker.com/t/docker-and-firewalld-could-not-resolve-host-from-my-containers/143762 but the bot hid my reply with context and some step-by-step solution.
Beta Was this translation helpful? Give feedback.
All reactions