-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
- -- Regards, Uzair Shamim
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
@Marcus Meissner SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this.
See: http://paste.opensuse.org/view/raw/59129206 and http://paste.opensuse.org/view/raw/17876326
- -- Regards, Uzair Shamim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 28.04.15 Uzair Shamim wrote:
SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this.
I would also guess that restarting SuseFirewall2 completely erases all iptable rules that docker might or might nor have set before.
At least that is what happens with libvirt rules...
Johannes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 10:41 AM, Johannes Kastl wrote:
On 28.04.15 Uzair Shamim wrote:
SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this.
I would also guess that restarting SuseFirewall2 completely erases all iptable rules that docker might or might nor have set before.
At least that is what happens with libvirt rules...
Johannes
I dont think docker set any rules, but either way yes, SuSEFirewall erases any rules that were in before. WRT libvirt you can just restart the libvirtd service and that brings the rules back.
But now I am just using plain iptables and its working great, thanks again to everyone for the help :)
- -- Regards, Uzair Shamim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 10:34 AM, Uzair Shamim wrote:
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables?
- -- Regards, Uzair Shamim
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service. Thanks though, I guess I can just add ACCEPT rules as needed. :)
- -- Regards, Uzair Shamim
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service.
Which presumably means running iptables commands according to some configuration <somewhere>.
В Tue, 28 Apr 2015 19:57:50 +0200 Per Jessen per@computer.org пишет:
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service.
Which presumably means running iptables commands according to some configuration <somewhere>.
IIRC this old service simply did iptables-save/iptables-restore. This had advantage of making simple "iptables" suddenly persistent.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-04-28 19:46, Uzair Shamim wrote:
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service. Thanks though, I guess I can just add ACCEPT rules as needed. :)
What about /etc/sysconfig/scripts/SuSEfirewall2-custom? You can add your commands in there.
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
Uzair Shamim wrote:
On 04/28/2015 10:34 AM, Uzair Shamim wrote:
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables?
Apologies, I assumed you were familiar with how to build a firewall using iptables. It is typically just a script filled with iptables commands which construct the firewall setup. Such a script is easily called with a systemd service unit:
[Unit] Description=firewall After=network.target
[Service] Type=oneshot ExecStart=/usr/sbin/firewall ExecStop=/usr/sbin/firewall stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
If you don't have a firewall script/setup already built and ready to use, you'e probably better of with using the openSUSE firewall.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 01:45 PM, Per Jessen wrote:
Uzair Shamim wrote:
On 04/28/2015 10:34 AM, Uzair Shamim wrote:
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables?
Apologies, I assumed you were familiar with how to build a firewall using iptables. It is typically just a script filled with iptables commands which construct the firewall setup. Such a script is easily called with a systemd service unit:
[Unit] Description=firewall After=network.target
[Service] Type=oneshot ExecStart=/usr/sbin/firewall ExecStop=/usr/sbin/firewall stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
If you don't have a firewall script/setup already built and ready to use, you'e probably better of with using the openSUSE firewall.
I am familiar with iptables, I am just used to being able to start and stop a iptables service in CentOS. I'll try this out but its not a big deal, I dont ever stop the firewall anyways.
- -- Regards, Uzair Shamim
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
That's what I do - I've had my own iptables (ipchains) firewall setup from way before SuSEFirewall, I've never had any reason to change. To my knowledge, SuSEFirewall is "just" a framework for managing an iptables firewall - I just use vi :-)
-
Andrei Borzenkov -
Carlos E. R. -
Jan Engelhardt -
Johannes Kastl -
Marcus Meissner -
Per Jessen -
Uzair Shamim