Firewall and Aqua Network issue

JOduMonT · September 23, 2020, 2:59am

To resume in 2 sentences

I use linuxserver/swag as reverse-proxy + linuxserver/nextcloud and linuxserver/jellyfin and linuxserver/… which I use for years under OMV, Debian, Ubuntu and CoreOS, … just to mention the issue is not there.

I only have one interface the green interface is a bridge br0.
I use the aqua network because the other containers needs to speak to reverse-proxy.

It work for a day

I think it is because I tried to add the aqua ZONE but shorewall complain it’s already exist which I believe and proof with: grep aqua /etc/shorewall/zones

Since then shorewall block the traffic

Sep 23 09:50:10 neth kernel: Shorewall:loc2aqua:REJECT:IN=br0 OUT=aqua0 PHYSIN=eth0 MAC=bb:dd:88:55:88:ff:ee:cc:88:44:ff:66:88:00 SRC=192.168.xx.70 DST=172.28.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64296 DF PROTO=TCP SPT=36830 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

So now I’m lost and need help…

mrmarkuz · September 23, 2020, 8:59am

Did you add firewall rules db props as explained in the docs?

JOduMonT · September 28, 2020, 7:39am

thank to point it out, because actually I did a mistake while I exectuted them earlier

but now even with these commands

[root@neth ~]# db dockrules set customName aqua TCPPorts 443 status enabled
[root@neth ~]# signal-event firewall-adjust

it still blocked

Sep 28 14:30:29 neth kernel: Shorewall:loc2aqua:REJECT:IN=br0 OUT=aqua0 MAC=ba:dd:77:55:44:66:44:cc:88:44:77:66:88:00 SRC=192.168.xx.70 DST=172.28.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17664 DF PROTO=TCP SPT=34764 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

mrmarkuz · September 28, 2020, 8:03am

Ah, I misunderstood.
The dockrules prop is for access from container to localhost.
You want to access the container port 443 from localhost directly. I’m afraid this is not possible without a custom template.

It should work with docker port mapping. Map the container port 443 to i.e. local port 33443 and then set the reverse proxy to localhost:33443.

JOduMonT · October 24, 2020, 12:46am

Just to conclude this tread;
Now everything works, by using docker-compose, I’m able to control the network between my containers, so I don’t need to play with the nethserver network.