How to install nxfilter and pihole with docker

Information

Feature request: NxFilter for NethServer

This howto is for testing the DNS webfilters. Do not use in production.
Maybe we could improve it together. Please test and give feedback…

Installation

Get docker repo and install and enable nethserver-docker:

cd ~
wget https://download.docker.com/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum -y install https://mrmarkuz.goip.de/mirror/mrmarkuz/7/noarch/nethserver-docker-0.0.0-1.7.gaaa415f.ns7.noarch.rpm
config setprop docker status enabled
signal-event nethserver-docker-update

Firewall

For testing purposes I decided to open the docker network by policy. In a production environment you should leave this step and set firewall rules.

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/policy
cp /etc/e-smith/templates/etc/shorewall/policy/35aqua /etc/e-smith/templates-custom/etc/shorewall/policy/
cat << 'EOF' > /etc/e-smith/templates-custom/etc/shorewall/policy/35aqua
#
# 35aqua -- the Docker network policy
#
aqua net ACCEPT
$FW aqua ACCEPT
aqua $FW ACCEPT
loc aqua ACCEPT
EOF
signal-event firewall-adjust

Download and start containers

Install nxfilter and/or pihole to test them.
Edit TZ=Europe/Vienna to match your timezone:

Nxfilter

docker run -d --name nxfilter -v nxfilter-conf:/nxfilter/conf -v nxfilter-log:/nxfilter/log -v nxfilter-db:/nxfilter/db -e TZ=Europe/Vienna --net=aqua --restart=unless-stopped packetworks/nxfilter-base:latest

Pihole

docker run -d --name pihole -e TZ="Europe/Vienna" -e WEBPASSWORD="admin" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --cap-add NET_ADMIN --net=aqua --restart=unless-stopped pihole/pihole:latest

Portainer

Browse to https://YOURNETH:980/portainer, setup admin username/password and select Local.
Now you can manage the containers via web UI.

Check the IPs of your machines, if you installed in a different order they may differ. In this howto 172.28.0.2 is the nxfilter, 172.28.0.3 is the pihole.

General rules for adding more docker containers

  • don’t publish ports
  • put the containers to aqua network
  • set restart to policy to unless-stopped

Configuration

Nxfilter

Browse to http://172.28.0.2/admin and login with admin, password: admin

You may need to set upstream DNS:

image

NxFilter supports LDAP/AD and much more…

Pihole

Browse to http://172.28.0.3/admin and login with password: admin

You may need to set upstream DNS:

Scenarios

Clients use filter DNS

The clients use the DNS server of a webfilter. They may get the DNS server to use from Nethserver DHCP.
This webfilter uses the Nethserver as upstream DNS.
The Nethserver uses an outside upstream DNS like 8.8.4.4 (google).
This way the filter gets the client IP and you can see it in the logs. Nxfilter for instance can map the IP to AD/LDAP users.

Nethserver uses webfilter as upstream DNS

In this case the filter only gets the IP of the Nethserver and has no information who is surfing but blocks ads and more.

Clients use Nethserver proxy

You need to set the Nethserver upstream DNS to one of the filters. Now when clients use the proxy the DNS filter is involved.

Cascading

You may use more filters for testing. One filter uses the next one as upstream DNS. The last filter uses Nethserver as upstream DNS.

ToDo

  • Testing
  • More secure firewall
  • Using rootless podman containers - I already tried but no success
5 Likes

Bring to this man a medal! And a beer, of course.

2 Likes

Good afternoon,

I was playing around with Guacamole and ran into problems trying to deploy nethserver-docker on a fresh NS demo. Installng the nethserver-docker via yum install --enablerepo=nethforge-testing nethserver-docker resulted in the following error:

Summary

[root@nethdemo ~]# yum install --enablerepo=nethforge-testing nethserver-docker
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

I also noted that yum install of https://mrmarkuz.goip.de/mirror/mrmarkuz/7/noarch/nethserver-docker-0.0.0-1.7.gaaa415f.ns7.noarch.rpm results in a failed connection. Am i missing something?

Sorry, I was testing. It should work now again, please try.
Alternatively you may download my new repo located on another server where I do no testing:

yum -y install https://mrmarkuz.dynu.net/mirror/mrmarkuz/7/noarch/nethserver-mrmarkuz-0.0.1-4.ns7.noarch.rpm
2 Likes