5

I want to explicitly open ports on my centos 7 machine, so I've configured firewalld with drop as the default zone and my external zone on my public facing interface. When I run python -m SimpleHTTPServer 8000 and hit the box on port 8000 it fails. But if I add the port to the external zone. It works. All as expected.

However, when I start a docker container on port 8000, and I hit the box externally, I can get to the service. Which is not what I want to happen. I want that to only be accessible if I open port 8000 on zone external.

Even if I bind the docker container to the public address of the box, it still get around the firewall. I can provide more information if needed like route tables and interface configuration, but I don't quite know what's useful. Looking to learn.

The box has two physical interfaces on it, eth0 which has a public ip assigned to it and eth1 which is connected to the private network, and I want to have accessible.

EDIT SOLVED added --iptables=false to the docker options.

Michael Timbrook
  • 103
  • 2
  • 8
  • 1
    Remember that Docker opens the ports in the firewall unless you explicitly told it not to. – Michael Hampton Aug 12 '15 at 22:55
  • Thanks, I added the `--iptables=false` option to docker and it stopped overriding things. What concerned me was that when I run `firewall-cmd --zone=external --list-all` the change didn't show up there. – Michael Timbrook Aug 12 '15 at 23:10

1 Answers1

3

Remember that Docker opens the ports in the firewall unless you explicitly told it not to. –

Just needed to add --iptables=false to the docker options.

Michael Timbrook
  • 103
  • 2
  • 8
  • 2
    If I add "--iptables=false" it makes all of my containers to not able to access any hosts outside docker0. Do you have to add any forwarding rules to firewalld? – SoichiH Dec 01 '15 at 14:25
  • how did you solve the issue? I'm also stuck at this very problem. After --iptables=false, now docker does not temper explicitly with iptables but now I'm unable to connect to any host of the internet from inside my container. I have tried everything found on the internet but still out of luck – Point Networks Mar 20 '18 at 08:59