Use Firehol with Docker

NOTE

After testing for a while Firehol does not work well with docker-compose that result to docker container can’t access outside nor internet. I don’t have time to investigate decide to use iptables by hand ( no script helper ) instead cause my working stack are base on Docker — 26/8/2559

NOTE — with Firewalld

firewalld also not work well with docker 26/8/2559 waiting for new release mention this #issue ( docker firewalld on Centos7 ) and this #issue

iptables is Linux firewall that main operate on command-line and complicate to understand.

Firehol Intro

Firehol is bash script help you easy to manage iptables firewall with simple configuration in /etc/firehol/firehol.conf ( read manual ). define service in /etc/firehol/services . more doc read at Firehol site

Problem

I found problem using Firehol with Docker due to firehol not create appropriate Chain for Docker. Docker need follow table.

• nat table
• filter table
• DOCKER-ISOLATION target

So you need to append both above in end of Filehol configuration file like this.

Otherwise you can not mapping port or docker can’t access outside ( internet ). you will get an error like.

docker: Error response from daemon: driver failed programming external connectivity on endpoint clever_leavitt (623f18135b279e281c6cb81ad4abf80af
3e54130417e075251672879f8d36d7f): iptables failed: iptables — wait -t filter -A DOCKER

Same Tool concept

• firewall-cmd — work with firewalld and default on Centos7
• ufw