Re: [Shorewall-users] Shorewall is not blocking container traffic to internet

Matt Darfeuille Mon, 09 Aug 2021 04:56:47 -0700

On 8/9/2021 5:30 AM, Jernej Vodopivec via Shorewall-users wrote:
> Hi,
> I am running VM host with multiple docker containers. Each container has 
> assigned isolated network. Traffic initiated from containers going out to 
> internet is not blocked as expected by policy: REJECT
> 
> 
> Curl run from host/VM.
> #  curl -v https://www.sf.net
> *   Trying 204.68.111.105:443...
> * connect to 204.68.111.105 port 443 failed: Connection timed out
> * Failed to connect to www.sf.net port 443: Connection timed out
> * Closing connection 0
> curl: (28) Failed to connect to www.sf.net port 443: Connection timed out
> 
> Curl run from docker
> / # curl -v https://www.sf.net
> *   Trying 204.68.111.105:443...
> * Connected to www.sf.net (204.68.111.105) port 443 (#0)
> 
> Shorewall version running on Debian 11: 5.2.3.4-1
> 
> /etc/shorewall/policy
> #SOURCE DEST            POLICY          LOGLEVEL        RATE    CONNLIMIT
> $FW     net             DROP            $LOG_LEVEL
> net     all             DROP            $LOG_LEVEL
> # The FOLLOWING POLICY MUST BE LAST
> all     all             REJECT          $LOG_LEVEL
> 
> /etc/shorewall/interfaces 
> ###############################################################################
> #ZONE   INTERFACE       OPTIONS
> net     ens192          
> dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=ens192
> dock    docker0         bridge
> db_maria br-0637e091497f        
> tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1
> www1 br-7172e1291701 tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1
> www2 br-33696d489f5a tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1
> 
> There is no ACCEPT rule in /etc/shorewall/rules. Even all host traffic is 
> blocked unless explicitly permitted by »ACCEPT $FW net« rule.
> 
> Iptables rules
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
> DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
> DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> RELATED,ESTABLISHED
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> RELATED,ESTABLISHED
> DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> RELATED,ESTABLISHED
> DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> net_frwd   all  --  0.0.0.0/0            0.0.0.0/0
> dock_frwd  all  --  0.0.0.0/0            0.0.0.0/0
> db_maria_frwd  all  --  0.0.0.0/0            0.0.0.0/0
> www1_frwd  all  --  0.0.0.0/0            0.0.0.0/0
> www2_frwd  all  --  0.0.0.0/0            0.0.0.0/0
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type BROADCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type ANYCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type MULTICAST
> LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
> 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "FORWARD REJECT "
> reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
> fw-net     all  --  0.0.0.0/0            0.0.0.0/0
> fw-dock    all  --  0.0.0.0/0            0.0.0.0/0
> fw-db_maria  all  --  0.0.0.0/0            0.0.0.0/0
> fw-www1  all  --  0.0.0.0/0            0.0.0.0/0
> fw-www2  all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type BROADCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type ANYCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type MULTICAST
> LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
> 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "OUTPUT REJECT "
> reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]
> 
> Chain db_maria-net (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> RELATED,ESTABLISHED
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type BROADCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type ANYCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type MULTICAST
> LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
> 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "db_maria-net REJECT "
> reject     all  --  0.0.0.0/0            0.0.0.0/0           [goto]
> 
> Chain db_maria_frwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> INVALID,NEW,UNTRACKED
> smurfs     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> INVALID,NEW,UNTRACKED
> tcpflags   tcp  --  0.0.0.0/0            0.0.0.0/0
> db_maria-net  all  --  0.0.0.0/0            0.0.0.0/0
> db_maria-dock  all  --  0.0.0.0/0            0.0.0.0/0
> db_maria-www1  all  --  0.0.0.0/0            0.0.0.0/0
> db_maria-www2  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain net_frwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> INVALID,NEW,UNTRACKED
> smurfs     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> INVALID,NEW,UNTRACKED
> tcpflags   tcp  --  0.0.0.0/0            0.0.0.0/0
> net-dock   all  --  0.0.0.0/0            0.0.0.0/0
> net-www1 all  --  0.0.0.0/0            0.0.0.0/0
> net-www2  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain reject (135 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> src-type BROADCAST
> DROP       all  --  224.0.0.0/4          0.0.0.0/0
> DROP       2    --  0.0.0.0/0            0.0.0.0/0
> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with 
> tcp-reset
> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            reject-with 
> icmp-port-unreachable
> REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            reject-with 
> icmp-host-unreachable
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with 
> icmp-host-prohibited
> 
> 
> Chain net-db_maria (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate 
> RELATED,ESTABLISHED
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type BROADCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type ANYCAST
> DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match 
> dst-type MULTICAST
> LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
> 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-db_maria DROP "
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain dynamic (24 references)
> target     prot opt source               destination
> 
> Chain smurflog (2 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: up to 
> 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "smurfs DROP "
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain smurfs (22 references)
> target     prot opt source               destination
> RETURN     all  --  0.0.0.0              0.0.0.0/0
> smurflog   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE 
> match src-type BROADCAST
> smurflog   all  --  224.0.0.0/4          0.0.0.0/0           [goto]
> 
> Chain tcpflags (24 references)
> target     prot opt source               destination
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x3F/0x29
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x3F/0x00
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x06/0x06
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x05/0x05
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x03/0x03
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> flags:0x19/0x09
> logflags   tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp 
> spt:0 flags:0x17/0x02
> 
> Docker is enabled in shorewall.conf.
> 
> 
> This looks like a bug or I am missing something?
>


TLDR.

In addition to my previous e-mail regarding your other question.

Is Shorewall configured as described at (1)?

1)  https://shorewall.org/bridge-Shorewall-perl.html

-- 
Matt Darfeuille <m...@shorewall.org>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall is not blocking container traffic to internet

Reply via email to