On Wed, Jun 30, 2021 at 10:58:03AM -0000, DragonBillow Zhang wrote:
I'm sorry for reply too later. The last email was rejected :(, so
I need rewrite a mail.
I had made a policy as follows:
# firewall-cmd --permanent --new-policy worldToDocker
# firewall-cmd --permanent --policy worldToDocker --add-ingress-zone ANY
# firewall-cmd --permanent --policy worldToDocker --add-egress-zone docker
# firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv4
source not address=127.0.0.1 reject'
# firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv6
source not address=[::1] reject'
# firewall-cmd --reload
In this policy, I guess all packets not coming from 127.0.0.1 will be rejected. But it
seems not work for me.
Correct. However, using a loopback 127.0.0.1 doesn't make any sense
here. The above policy applies to forwarded packets. Packets to
127.0.0.1 will never be forwarded.
It seems not possible to manage docker's packets by firewalld
after searching PREROUTING a lot.
I try to set zone "docker" to "reject", which can work a little,
it's means all web ports opend by docker can be access but can't work normally.
Are you trying to filter traffic destined to a container?
Or, are you trying to filter traffic originating from a container?