I’ve run into an issue when I was trying to configure Rule to allow traffic from LAN interface (“loc”) to docker containers directly (“dock”)
I set up a rule in Web UI:
Source: 10.10.0.0/24 (lan)
Destination: 172.10.0.0/16 (docker)
Service: any
I was UNABLE to route any traffic from host located in LAN to Docker. I kept gettin the following message:
serwer kernel: Shorewall:loc2dock:REJECT:IN=br0 OUT=docker0 PHYSIN=br0 MAC=xxxxxx SRC=10.10.0.50 DST=172.10.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30497 DF PROTO=TCP SPT=59795 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
After doing some diggin and checking the rules file in /etc/shorewall/rules I discovered that the generated rule was as follows:
The problem turned out to be net part. After I manually changed it to “dock” Everything started to work as expected.
There is some bug where IP addresses used in docker interfaces (although listed in /etc/shorewall/interfaces) are not used to properly generate the rules in the rules file.
NethServer Docker supports different types of networks, check out the documentation.
Which network did you use? I recommend macvlan to be able to reach the containers.
Unfortunately it does not. My network still appears in rules as “net”.
NethServer Docker supports different types of networks, check out the documentation.
Which network did you use? I recommend macvlan to be able to reach the containers.
I used “bridge” network which already existed after installing nethserver docker - from host perspective it is called “docker0”.
I was able to setup macvlan according to the instruction and now it works. Slightly differently than I would expect (on the same network as the host) but this setup should be sufficient for my needs.
I am still wondering why does firewall assigns “net” to the ip address from “docker0” pool? After reading the documentation carefully (probably should have done it earlier ), I see the following: https://docs.nethserver.org/en/v7/docker.html#default-network
The default bridge docker0 is allowed in the firewall of NethServer, any ports or the containers will be opened through shorewall. Any docker howto is supposed to be compatible.
Doesn’t it mean that If I use this network, In the firewall the container should be reachable?
any ports or the containers will be opened through shorewall
That part got me thinking that containers will be reachable directly by anybody (e.g from LAN) not only from NethServer or by using port (nethserver_ip:<some_exposed_port>).
Anyway, It sems that what I reported is not a bug then but a feature.
), I see the following: