valentin2105
5/5/2017 - 9:42 AM

Ferm for Docker (IPv4 only)

Ferm for Docker (IPv4 only)

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#
# Chain policies

# We define our Docker IPv4 ranges
@def $DOCKER_RANGE      = (172.16.0.0/12);

# We drop INPUT/FORWARD by default and ACCEPT output
domain (ip) {  
 table filter {
  chain (INPUT FORWARD) policy DROP;
  chain OUTPUT policy ACCEPT;
 }
}

# Loopback
domain (ip) table filter {  
 chain INPUT interface lo ACCEPT;
 chain OUTPUT outerface lo ACCEPT;
}

# ICMP (kernel does rate-limiting)
domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;  

# Invalid
domain (ip) table filter chain INPUT mod state state INVALID DROP;

# Established/related connections
domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;

# We define our opened ports
domain (ip) table filter chain INPUT {  
        # SSH
        proto tcp dport ssh ACCEPT;
        # HTTP
        proto tcp dport http ACCEPT;
}

# Docker IPv4 config
domain ip {  
  table filter {
    chain FORWARD {
        # Replace isolation between containers networks
        saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT;
        saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT;
        saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT;
        saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT;
        saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT;
        saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT;
        saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT;
        saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT;
        saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT;
        saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT;
        saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT;
        saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT;
        saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT;
        saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT;
        saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT;
        saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT;
        saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT;
        saddr @ipfilter($DOCKER_RANGE) ACCEPT;
        daddr @ipfilter($DOCKER_RANGE) ACCEPT;
    }
  }
  # Create MASQUERADE for IPv4 ranges
  table nat {
        chain POSTROUTING {
             saddr @ipfilter($DOCKER_RANGE)  MASQUERADE;
        }
    }
}