0

I just came across this issue and it's late here so I can't really think straight anymore right now. Still this is something pretty simple so I'm not really seeing what I'm missing and just going nuts here:

I was setting up a server I use solely for running docker containers. I started with a MariaDB container all ok here and I decided to connect to it just to make sure all is working.

So now I want to connect to server running MariaDB, and since I'm behind firewalld, I started by configuring it by adding a new zone to firewall-cmd, add service and source:

firewall-cmd --permanent --new-zone=test-from-home
firewall-cmd --reload
firewall-cmd --permanent --zone=test-from-home --add-service=mysql
firewall-cmd --permanent --zone=test-from-home --add-source=XX.XX.XX.XX/32
firewall-cmd --reload

And I connected perfectly using mysql -u root -p -h host All great!

Running firewall-cmd --get-active-zones returns:

[root@nd01 latest]# firewall-cmd --get-active-zones
test-from-home
  sources: XX.XX.XX.XX/32
public
  interfaces: eth0

So just because sometimes I remember making these tests to make sure everything is working, I connected to another machine and I connected successfully from this other IP.

firewall-cmd --zone=test-from-home --list-all
test-from-home (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: XX.XX.XX.XX/32
  services: mysql
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Why am I being able to connect from a random machine? What am I missing? Thanks

Ricardo Mendes
  • 149
  • 5
  • What did you try to connect to? – Michael Hampton Feb 13 '19 at 22:35
  • Sorry mate I didn’t fully understand your question. I connected using mysql command on my machine, and also connected using app navicat. From the remote I used mysql cmd. And I also asked a friend to netcat to host port 3306. All successful when I was expecting only my connections (originated in my IP/32) would go through. Sorry multi edits i’m on the phone – Ricardo Mendes Feb 13 '19 at 22:49

1 Answers1

1

Ok so today I found the answer,

FirewallD doesn't play nice with Docker (or vice-versa)

Meanwhile I came across the fact that FirewallD and Docker do not play along. According to the Docker documentation, the way to circumvent this is by disabling IPTables: - Docker and iptables

As it says from the very first stance:

On Linux, Docker manipulates iptables rules to provide network isolation. This is an implementation detail, and you should not modify the rules Docker inserts into your iptables policies.

Which wouldn't be my first resort as adviced against.

So I did a little more digging and I found a page that gave me the answer and anyone with this issue can take a couple of ideas from it, it's a nice approach to it, by adding configuration to the DOCKER-USER chain.

Docker meets firewall - finally an answer

Ricardo Mendes
  • 149
  • 5