The shorewall documentation explains in http://shorewall.org/Docker.html how to configure shorewall for use with docker. The problem with the configuration is that it only allows connections from the host to the main bridge docker0
. Connections to other networks on dynamically created bridges, with names starting by default with br-
, is blocked. Instead of the recommended contents of /etc/shorewall/interfaces
, use wild-card interface names as follows:
#ZONE INTERFACE OPTIONS
#dock docker0 bridge # disabled default recommendation
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1
This declares interfaces with names starting with docker
, including the default docker0
, and starting with br-
to be in the dock
zone.
For the rest of the configuration, follow the shorewall documentation as is.
This setup fixes problems running composite apps set up manually or using docker-compose
.
I actually configured it how you described, but for some reason shorewall removes some of the docker rules on a restart.
root@dk1:~# iptables -L -v | grep DOCKER
5427 2371K DOCKER-USER all -- any any anywhere anywhere
5427 2371K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
177 10552 DOCKER all -- any br-61206706fa14 anywhere anywhere
1615 282K DOCKER all -- any any anywhere anywhere
Chain DOCKER (3 references)
Chain DOCKER-USER (1 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
432 126K DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14 !br-61206706fa14 anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
systemctl restart shorewall.service
root@dk1:~# iptables -L -v | grep DOCKER
124 56242 DOCKER-USER all -- any any anywhere anywhere
124 56242 DOCKER-ISOLATION all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
21 2308 DOCKER all -- any any anywhere anywhere
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION (1 references)
Chain DOCKER-USER (1 references)
root@dk1:~# apt-show-versions shorewall docker-ce
docker-ce:amd64/buster 5:19.03.6~3-0~debian-buster uptodate
shorewall:all/buster 5.2.3.2-1 uptodate
So far as I understand should this issue already be fixed since 5.2.1.1, but I am still facing it.
Any idea what could be wrong?