Ferm for Docker (IPv4 only)

## ferm-docker.conf
# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#
# Chain policies

# We define our Docker IPv4 ranges
@def $DOCKER_RANGE      = (172.16.0.0/12);

# We drop INPUT/FORWARD by default and ACCEPT output
domain (ip) {
 table filter {
  chain (INPUT FORWARD) policy DROP;
  chain OUTPUT policy ACCEPT;
 }
}

# Loopback
domain (ip) table filter {
 chain INPUT interface lo ACCEPT;
 chain OUTPUT outerface lo ACCEPT;
}

# ICMP (kernel does rate-limiting)
domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;

# Invalid
domain (ip) table filter chain INPUT mod state state INVALID DROP;

# Established/related connections
domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

# We define our opened ports
domain (ip) table filter chain INPUT {
        # SSH
        proto tcp dport ssh ACCEPT;
        # HTTP
        proto tcp dport http ACCEPT;
}

# Docker IPv4 config
domain ip {
  table filter {
    chain FORWARD {
        # Replace isolation between containers networks
        saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT;
        saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT;
        saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT;
        saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT;
        saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT;
        saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT;
        saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT;
        saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT;
        saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT;
        saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT;
        saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT;
        saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT;
        saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT;
        saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT;
        saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT;
        saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT;
        saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT;
        saddr @ipfilter($DOCKER_RANGE) ACCEPT;
        daddr @ipfilter($DOCKER_RANGE) ACCEPT;
    }
  }
  # Create MASQUERADE for IPv4 ranges
  table nat {
        chain POSTROUTING {
             saddr @ipfilter($DOCKER_RANGE)  MASQUERADE;
        }
    }
}
	# -- shell-script --
	#
	# Configuration file for ferm(1).
	#
	# Chain policies

	# We define our Docker IPv4 ranges
	@def $DOCKER_RANGE = (172.16.0.0/12);

	# We drop INPUT/FORWARD by default and ACCEPT output
	domain (ip) {
	table filter {
	chain (INPUT FORWARD) policy DROP;
	chain OUTPUT policy ACCEPT;
	}
	}

	# Loopback
	domain (ip) table filter {
	chain INPUT interface lo ACCEPT;
	chain OUTPUT outerface lo ACCEPT;
	}

	# ICMP (kernel does rate-limiting)
	domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;

	# Invalid
	domain (ip) table filter chain INPUT mod state state INVALID DROP;

	# Established/related connections
	domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

	# We define our opened ports
	domain (ip) table filter chain INPUT {
	# SSH
	proto tcp dport ssh ACCEPT;
	# HTTP
	proto tcp dport http ACCEPT;
	}

	# Docker IPv4 config
	domain ip {
	table filter {
	chain FORWARD {
	# Replace isolation between containers networks
	saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT;
	saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT;
	saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT;
	saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT;
	saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT;
	saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT;
	saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT;
	saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT;
	saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT;
	saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT;
	saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT;
	saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT;
	saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT;
	saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT;
	saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT;
	saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT;
	saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT;
	saddr @ipfilter($DOCKER_RANGE) ACCEPT;
	daddr @ipfilter($DOCKER_RANGE) ACCEPT;
	}
	}
	# Create MASQUERADE for IPv4 ranges
	table nat {
	chain POSTROUTING {
	saddr @ipfilter($DOCKER_RANGE) MASQUERADE;
	}
	}
	}