Ferm for Docker (IPv4 only)
# -*- shell-script -*- | |
# | |
# Configuration file for ferm(1). | |
# | |
# Chain policies | |
# We define our Docker IPv4 ranges | |
@def $DOCKER_RANGE = (172.16.0.0/12); | |
# We drop INPUT/FORWARD by default and ACCEPT output | |
domain (ip) { | |
table filter { | |
chain (INPUT FORWARD) policy DROP; | |
chain OUTPUT policy ACCEPT; | |
} | |
} | |
# Loopback | |
domain (ip) table filter { | |
chain INPUT interface lo ACCEPT; | |
chain OUTPUT outerface lo ACCEPT; | |
} | |
# ICMP (kernel does rate-limiting) | |
domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT; | |
# Invalid | |
domain (ip) table filter chain INPUT mod state state INVALID DROP; | |
# Established/related connections | |
domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT; | |
# We define our opened ports | |
domain (ip) table filter chain INPUT { | |
# SSH | |
proto tcp dport ssh ACCEPT; | |
# HTTP | |
proto tcp dport http ACCEPT; | |
} | |
# Docker IPv4 config | |
domain ip { | |
table filter { | |
chain FORWARD { | |
# Replace isolation between containers networks | |
saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT; | |
saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT; | |
saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT; | |
saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT; | |
saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT; | |
saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT; | |
saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT; | |
saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT; | |
saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT; | |
saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT; | |
saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT; | |
saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT; | |
saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT; | |
saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT; | |
saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT; | |
saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT; | |
saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT; | |
saddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
daddr @ipfilter($DOCKER_RANGE) ACCEPT; | |
} | |
} | |
# Create MASQUERADE for IPv4 ranges | |
table nat { | |
chain POSTROUTING { | |
saddr @ipfilter($DOCKER_RANGE) MASQUERADE; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment