ConfigServer Firewall (CSF) + Docker

ConfigServer Firewall (CSF) + Docker

CSF is a front-end for the IPTables firewall, so if you have it installed, CSF overwrites any IPTables rule added manually, each time you restart it.

Docker has its own set of IPTables rules which are required for communication between containers. It also overwrites IPTables rules each time you restart it.

So, in order to resolve possible conflicts between these programs, one should do the following:

  1. Add all Docker firewall rules to a shell script that will be executed by CSF on startup:
    • create the file /etc/csf/csfpre.sh and add the following commands to it:


    • iptables -t nat -N DOCKER
      iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
      iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
      iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
      iptables -t filter -N DOCKER
      iptables -t filter -A FORWARD -o docker0 -j DOCKER
      iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
      iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT

    • restart CSF
    • $ csf -r

  2. Tell Docker to omit adding firewall rules to IPTables (let CSF handle that):
    • for older systems using Upstart, edit /etc/default/docker
    • for newer systems using SystemD, create the directory /etc/systemd/system/docker.service.d with the file /etc/systemd/system/docker.service.d/noiptables.conf

    and add the following lines to that file:

    [Service]
    ExecStart=
    ExecStart=/usr/bin/dockerd -H fd:// --iptables=false

  3. Reload SystemD’s config:
  4. systemctl daemon-reload

This article also answers another question that I have recently been looking an answer for: “Is it possible to install Docker on a cPanel/WHM server?”. And the answer is “yes”. I needed to install Jenkins with Ansible for code deployment on a cPanel server, and decided that the “clean” way would be to have Jenkins with Ansible running in a docker container rather than installing Java with Apache Tomcat on the server directly. Everything is working perfectly 🙂

Comments are closed.