API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 9th, 2024
89
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.87 KB | None | 0 0
raw download clone embed print report
  1. # Docker LXC Firewall Configuration
  2.  
  3. This README outlines the process for configuring the firewall on a Docker LXC to allow external access to Docker applications while maintaining security.
  4.  
  5. ## Initial Setup
  6.  
  7. 1. Backup existing configuration:
  8.  
  9. iptables-save > ~/iptables_backup_$(date +%Y%m%d).rules
  10. iptables -L -v -n > ~/iptables_config_$(date +%Y%m%d).txt
  11.  
  12. 2. Set default policies:
  13.  
  14. iptables -P INPUT DROP
  15. iptables -P FORWARD DROP
  16. iptables -P OUTPUT ACCEPT
  17.  
  18. 3. Allow established and related connections:
  19.  
  20. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  21.  
  22. 4. Allow loopback traffic:
  23.  
  24. iptables -A INPUT -i lo -j ACCEPT
  25.  
  26. 5. Allow SSH (if needed):
  27.  
  28. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  29.  
  30. 6. Allow incoming traffic for Docker applications:
  31.  
  32. iptables -A INPUT -p tcp --dport 3000 -j ACCEPT # Homepage
  33. iptables -A INPUT -p tcp --dport 9443 -j ACCEPT # Portainer
  34. iptables -A INPUT -p tcp --dport 2283 -j ACCEPT # Immich
  35. iptables -A INPUT -p tcp --dport 8099 -j ACCEPT # Octoprint
  36. iptables -A INPUT -p tcp --dport 8443 -j ACCEPT # code-server
  37.  
  38. 7. Allow local network traffic:
  39.  
  40. iptables -A INPUT -s 192.168.68.0/22 -j ACCEPT
  41.  
  42. 8. Allow incoming traffic for Nginx Proxy Manager:
  43.  
  44. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  45. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  46.  
  47. 9. Allow Docker-related traffic:
  48.  
  49. iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
  50. iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
  51.  
  52. 10. Save and persist rules:
  53.  
  54. iptables-save > /etc/iptables/rules.v4
  55. apt-get update
  56. apt-get install iptables-persistent
  57.  
  58. 11. Enable IP forwarding:
  59. Edit `/etc/sysctl.conf` and ensure this line is present:
  60.  
  61. net.ipv4.ip_forward=1
  62.  
  63. Then apply changes:
  64.  
  65. sysctl -p
  66.  
  67. ## Adding New Ports for Future Docker Apps
  68.  
  69. To add a new port for a future Docker application:
  70.  
  71. 1. Add a new iptables rule:
  72.  
  73. iptables -A INPUT -p tcp --dport [NEW_PORT] -j ACCEPT
  74.  
  75. Replace [NEW_PORT] with the actual port number.
  76.  
  77. 2. Save the updated rules:
  78.  
  79. iptables-save > /etc/iptables/rules.v4
  80.  
  81. 3. Restart the iptables service or reboot the LXC to apply changes.
  82.  
  83. ## Restoring from Backup
  84.  
  85. If needed, restore from backup using:
  86.  
  87. iptables-restore < ~/iptables_backup_YYYYMMDD.rules
  88.  
  89. Replace YYYYMMDD with the actual date of your backup file.
  90.  
  91. ## Troubleshooting
  92.  
  93. - If external access fails, temporarily disable the firewall to test:
  94.  
  95. iptables -P INPUT ACCEPT
  96. iptables -P FORWARD ACCEPT
  97. iptables -F
  98.  
  99. - Check Docker LXC logs and Nginx Proxy Manager logs for any error messages.
  100. - Verify that port forwarding is correctly set up on your router.
  101. - Ensure DNS records are up to date if using domain names.
  102.  
  103. Remember to always test changes thoroughly and maintain regular backups of your configuration.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!