• Uncategorized

About linux : Firewalld-forward-external-connections-to-container-service-listening-on-localhost

Question Detail

Im a little confused about firewalld and I am trying to secure docker containers by using docker-compose to force the container to listen only on localhost:

 docker-compose ps
   Name                     Command               State            Ports          
--------------------------------------------------------------------------------------
srv_postgres-srv_1   /docker-entrypoint.sh postgres   Up      127.0.0.1:5432->5432/tcp

services:

 postgres-srv:
  image: postgres:9.5.5
  volumes:
   - postgres-srv_volume:/var/lib/postgresql/data
  ports:
   - "127.0.0.1:5432:5432"

volumes:
 postgres-srv_volume:

But when I try to use firewalld to forward external traffic to it, connections are refused.
My firewalld configuration so far:

     public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports:
  protocols: 
  masquerade: yes
  forward-ports: port=5432:proto=tcp:toport=5432:toaddr=127.0.0.1
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.1.1/32" port port="5432" protocol="tcp" accept

Please what am I doing wrong?

Question Answer

Im not sure this is absolutely the right thing to do, but in order to port-forward to the container, thanks to the information here: Assign Static IP to Docker Container,
I did the following:

  1. I forced the container to have a static address (forcing it to listen on localhost for connections now seems redundant), by setting these in the docker-compose file:

    version: '2'
    
    services:
    
     postgres-srv:
      image: postgres:9.5.5
      volumes:
       - postgres-srv_volume:/var/lib/postgresql/data
      networks:
       static-network:
         ipv4_address: 172.18.0.2
      ports:
       - "127.0.0.1:5432:5432"
    
    volumes:
     postgres-srv_volume:
    
    networks:
      static-network:
        ipam:
         config:
          - subnet: 172.18.0.0/16
            ip_range: 172.18.0.0/16
    

2 Then I port-forwarded in firewalld like so:

    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: dhcpv6-client ssh
      ports: 
      protocols: 
      masquerade: yes
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
            rule family="ipv4" source address="192.168.0.1/24" forward-port port="5432" protocol="tcp" to-port="5432" to-addr="172.18.0.2"

Now I still cant get the container to listen on localhost from outside, but I can portforward to the static container IP.
Please tell me if this is the right thing to do.

You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.