The shorewall documentation explains in http://shorewall.org/Docker.html how to configure shorewall for use with docker. The problem with the configuration is that it only allows connections from the host to the main bridge docker0
. Connections to other networks on dynamically created bridges, with names starting by default with br-
, is blocked. Instead of the recommended contents of /etc/shorewall/interfaces
, use wild-card interface names as follows:
#ZONE INTERFACE OPTIONS
#dock docker0 bridge # disabled default recommendation
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1
This declares interfaces with names starting with docker
, including the default docker0
, and starting with br-
to be in the dock
zone.
For the rest of the configuration, follow the shorewall documentation as is.
This setup fixes problems running composite apps set up manually or using docker-compose
.
Instead of using the DOCKER-USER chain, I set up rules in shorewall that filter connections to or from the
dock
zone. For more fine-grained control, you can use some of docker's advanced options:docker run
or indocker-compose.yml
The point here is to control the interface or IP address used by a container. That way, you can write specific filter rules in shorewall w/o having to inspect the container's configuration, which might change when the container gets re-created. This is very similar to how I set up filtering for full-blown virtual machines.
The alternative is to use
iptables
to manipulate the DOCKER-USER table, which is not managed directly by shorewall.