Ferm for Docker (IPv4 only)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- shell-script -*- | |
| # | |
| # Configuration file for ferm(1). | |
| # | |
| # Chain policies | |
| # We define our Docker IPv4 ranges | |
| @def $DOCKER_RANGE = (172.16.0.0/12); | |
| # We drop INPUT/FORWARD by default and ACCEPT output | |
| domain (ip) { | |
| table filter { | |
| chain (INPUT FORWARD) policy DROP; | |
| chain OUTPUT policy ACCEPT; | |
| } | |
| } | |
| # Loopback | |
| domain (ip) table filter { | |
| chain INPUT interface lo ACCEPT; | |
| chain OUTPUT outerface lo ACCEPT; | |
| } | |
| # ICMP (kernel does rate-limiting) | |
| domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT; | |
| # Invalid | |
| domain (ip) table filter chain INPUT mod state state INVALID DROP; | |
| # Established/related connections | |
| domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT; | |
| # We define our opened ports | |
| domain (ip) table filter chain INPUT { | |
| # SSH | |
| proto tcp dport ssh ACCEPT; | |
| # HTTP | |
| proto tcp dport http ACCEPT; | |
| } | |
| # Docker IPv4 config | |
| domain ip { | |
| table filter { | |
| chain FORWARD { | |
| # Replace isolation between containers networks | |
| saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT; | |
| saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT; | |
| saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT; | |
| saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT; | |
| saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT; | |
| saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT; | |
| saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT; | |
| saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT; | |
| saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT; | |
| saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT; | |
| saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT; | |
| saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT; | |
| saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT; | |
| saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT; | |
| saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT; | |
| saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT; | |
| saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT; | |
| saddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
| daddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
| } | |
| } | |
| # Create MASQUERADE for IPv4 ranges | |
| table nat { | |
| chain POSTROUTING { | |
| saddr @ipfilter($DOCKER_RANGE) MASQUERADE; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment