what is correct way to setup firewall rules?

English Network/Internet
#1

Hello Everyone,

I’ve upgrade from OpenSuse Leap 15.2 to 15.3. I’m confused about how to set up firewall.

In 15.2, I can set firewall either using yast, firewall-cmd or iptable (eg. open tcp port 80). All of these commands can synchronize with each others. In other way to say, if I open tcp 80 port in yast, it shows up also in “firewall-cmd --list-all” and “iptables -S” automatically.

But in 15.3, if I setup firewall in yast (open tcp 80 port), it shows not in iptables. Then I use iptables command to add a new rule, for example, open 443/tcp port, it overwrite the setting from yast before, so 80/tcp is closed, only 443/tcp port is open.

I’m confused, because I also use docker. Docke inserts iptables rules. I also have custom bash script using firewall-cmd commands to setup firewall. In 15.3, the firewall setting is messed up in my situation.:’(

Can someone have good suggestions? Thank you.

Best regards,

#2

Firewalld is now using nftables by default. (However you can change that if desired.)
https://firewalld.org/2018/07/nftables-backend

#3

BTW, if you prefer GUI configuration, consider using firewall-config.

#4

@suseoes:

Please take a look at the “iptables-nft” package and, this Blog entry – <https://ehlers.berlin/blog/nftables-and-docker/>.

  • It seems that, currently, Docker doesn’t support nftables directly …
#5

Thank you, guys.

As https://firewalld.org/2018/07/nftables-backend said:

firewall rules created outside of firewalld (e.g. libvirt, docker, user, etc) will take precedence over firewalld’s rules.

I made several tests, added iptables rules manually, and found that:

1. Rule 1
It looks “iptables” like an independent firewall. If a packet passes through “iptables”, it must then go through “firewalld’s rules”, if two firewall both pass, then it will reach its destination.

In other words, if a packet gets rejected by any of these two independent firewalls, it cannot reach its destination.

This rule works on service on local host, for example I install nginx on locahost with port 80.

2. Rule 2
If I use docker on host, it looks docker will take over “iptables” and “firewalld’s rules”. So Rule 1 will not work at all.

For example, I run nginx at port 8080 on host with command “docker run -d -p 8080:80 nginx”. Now, no matter how I setup iptables (also “DOCKER-USER” chain) or firewalld to block 8080 port, other machine can still visit 8080 port on the host.

For the local services, for example nginx on localhost with port 80 mentioned in rule 1, which do not use docker, will continue with Rule 1.

Above all:
I will set

iptables -P INPUT ACCEPT

as default. And then, I will only use “firewall-cmd” to set up firewalls, without use “iptabless” any more, and ignore “iptables -S” output.

Am I right? :slight_smile:

Hoping that docker will embrace nftables soon.

#6

Other useful links:

https://www.puzzle.ch/de/blog/articles/2021/07/05/containers-netfilter-iptables-nftables-teil-1
https://ungleich.ch/en-us/cms/blog/2018/08/18/iptables-vs-nftables/
https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables


+--------------+     +--------------+     +--------------+
|   iptables   |     |   iptables   |     |     nft      |   USER
|    legacy    |     |     nft      |     |  (nftables)  |   SPACE
+--------------+     +--------------+     +--------------+
       |                          |         |
====== | ===== KERNEL API ======= | ======= | =====================
       |                          |         |
+--------------+               +--------------+
|   iptables   |               |   nftables   |              KERNEL
|      API     |               |     API      |              SPACE
+--------------+               +--------------+
             |                    |         |
             |                    |         |
          +--------------+        |         |     +--------------+
          |   xtables    |--------+         +-----|   nftables   |
          |    match     |                        |    match     |
          +--------------+                        +--------------+
#7

Please post real links by using the Globe (Link) from the toolbar.

https://www.puzzle.ch/de/blog/articles/2021/07/05/containers-netfilter-iptables-nftables-teil-1
https://ungleich.ch/en-us/cms/blog/2018/08/18/iptables-vs-nftables/
https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables

And those HTML tags work OK in this case, but what you show is not HTML, better use CODE (The # in the toolbar) in the future.

#8

Show your actual configuration, not your vague description of how you interpret it.

iptables -L -n -v
nft list ruleset

And explain, where “other machine” is located and how it accesses your docker application.

P.S. output will likely be long, upload to https://susepaste.org/

#9

Sorry I made a mistake.

I tried it again today, and the port from docker application can be blocked by

# iptables -I DOCKER-USER -p tcp --dport 8080 -j DROP

The test is made with a VM in Virtualbox with “Host-only Adapter”.
“Other machine” means my host machine which running this Virtualbox VM.

After adding this iptables rule, I cannot visit 8080 port of this VM port from my host machine.