Hello,
I'm running a standalone Atomic Registry system and I'm wondering how to secure this with firewalld.
By default, the Docker containers that support this app listen on ports 5000, 8443, and 9090.
Even though firewalld is running on my system, when I start the Atomic Registry containers, I can reach those TCP ports directly. It seems that Docker is inserting additional firewall rules to allow inbound traffic apart from firewalld.
The Atomic Registry containers need to be able to contact each other on the local host system, and send outbound traffic, but that is all. I don't want anyone on the network to reach tcp/5000 directly, for example.
How can I use firewalld to close off those ports from the internet?
The best option I've found so far is to add "--iptables=false" to /etc/sysconfig/docker, and then use the following iptables commands:
# iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT # iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT # iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
I'm not sure if those are the best ones, or what the firewall-cmd equivalents would be?
firewalld-users@lists.fedorahosted.org