/ferm-docker.conf
Created May 5, 2017
Ferm for Docker (IPv4 only)
| # -*- shell-script -*- | |
| # | |
| # Configuration file for ferm(1). | |
| # | |
| # Chain policies | |
| # We define our Docker IPv4 ranges | |
| @def $DOCKER_RANGE = (172.16.0.0/12); | |
| # We drop INPUT/FORWARD by default and ACCEPT output | |
| domain (ip) { | |
| table filter { | |
| chain (INPUT FORWARD) policy DROP; | |
| chain OUTPUT policy ACCEPT; | |
| } | |
| } | |
| # Loopback | |
| domain (ip) table filter { | |
| chain INPUT interface lo ACCEPT; | |
| chain OUTPUT outerface lo ACCEPT; | |
| } | |
| # ICMP (kernel does rate-limiting) | |
| domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT; | |
| # Invalid | |
| domain (ip) table filter chain INPUT mod state state INVALID DROP; | |
| # Established/related connections | |
| domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT; | |
| # We define our opened ports | |
| domain (ip) table filter chain INPUT { | |
| # SSH | |
| proto tcp dport ssh ACCEPT; | |
| # HTTP | |
| proto tcp dport http ACCEPT; | |
| } | |
| # Docker IPv4 config | |
| domain ip { | |
| table filter { | |
| chain FORWARD { | |
| # Replace isolation between containers networks | |
| saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT; | |
| saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT; | |
| saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT; | |
| saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT; | |
| saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT; | |
| saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT; | |
| saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT; | |
| saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT; | |
| saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT; | |
| saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT; | |
| saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT; | |
| saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT; | |
| saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT; | |
| saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT; | |
| saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT; | |
| saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT; | |
| saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT; | |
| saddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
| daddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
| } | |
| } | |
| # Create MASQUERADE for IPv4 ranges | |
| table nat { | |
| chain POSTROUTING { | |
| saddr @ipfilter($DOCKER_RANGE) MASQUERADE; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment