Docker Firewall
The instructions below describe how to setup a firewall so that the Docker containers on an RPi are not allowed to speak with other devices on the LAN. This prevents renters of the device from being able to hack other devices on the local network. The instructions below are based on this blog entry.
This firewall assumes that you are using the Ethernet port on the RPi to connect it to the network, and not the WiFi antenna.
- View the iptable rules created by Docker by running the command:
sudo iptables -L - Create the directory
/etc/systemd/system/docker.service.d. - Enter that directory and create the file
noiptables.conf. - Add the following content to this file with
nano:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --iptables=false --dns=8.8.4.4
- Reboot the Raspberry Pi to let the changes take effect.
- Run the command
sudo iptables -Land verify that the iptable rules created by Docker are no longer there. - Install the following package:
apt-get install iptables-persistent
- Replace the
/etc/iptables/rules.v4file with the following:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.6.0 on Wed Jan 24 08:06:27 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
# Docker
## Prevent docker from speaking directly to any devices on the LAN
-A FORWARD -i docker0 -d 192.168.0.0/16 -j DROP
## Allow all other traffic to pass through
-A FORWARD -i docker0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT
# Incoming
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## Allow DNS to pass through
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Outgoing
## Allow DNS to pass through
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
## Do not allow host to speak to LAN devices, in case it gets hacked.
#-A OUTPUT -d 192.168.0.0/16 -j DROP
-A OUTPUT -j ACCEPT
# Routing
-A FORWARD -j ACCEPT
COMMIT
- Load the new firewall rules with this command:
sudo netfilter-persistent reload