Ferm for Docker (IPv4 only)
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
# Chain policies
# We define our Docker IPv4 ranges
@def $DOCKER_RANGE = (172.16.0.0/12);
# We drop INPUT/FORWARD by default and ACCEPT output
domain (ip) {
table filter {
chain (INPUT FORWARD) policy DROP;
chain OUTPUT policy ACCEPT;
}
}
# Loopback
domain (ip) table filter {
chain INPUT interface lo ACCEPT;
chain OUTPUT outerface lo ACCEPT;
}
# ICMP (kernel does rate-limiting)
domain (ip) table filter chain (INPUT OUTPUT) protocol icmp ACCEPT;
# Invalid
domain (ip) table filter chain INPUT mod state state INVALID DROP;
# Established/related connections
domain (ip) table filter chain (INPUT OUTPUT) mod state state (ESTABLISHED RELATED) ACCEPT;
# We define our opened ports
domain (ip) table filter chain INPUT {
# SSH
proto tcp dport ssh ACCEPT;
# HTTP
proto tcp dport http ACCEPT;
}
# Docker IPv4 config
domain ip {
table filter {
chain FORWARD {
# Replace isolation between containers networks
saddr 172.16.0.0/16 daddr 172.16.0.0/16 ACCEPT;
saddr 172.17.0.0/16 daddr 172.17.0.0/16 ACCEPT;
saddr 172.18.0.0/16 daddr 172.18.0.0/16 ACCEPT;
saddr 172.19.0.0/16 daddr 172.19.0.0/16 ACCEPT;
saddr 172.20.0.0/16 daddr 172.20.0.0/16 ACCEPT;
saddr 172.21.0.0/16 daddr 172.21.0.0/16 ACCEPT;
saddr 172.22.0.0/16 daddr 172.22.0.0/16 ACCEPT;
saddr 172.23.0.0/16 daddr 172.23.0.0/16 ACCEPT;
saddr 172.24.0.0/16 daddr 172.24.0.0/16 ACCEPT;
saddr 172.25.0.0/16 daddr 172.25.0.0/16 ACCEPT;
saddr 172.26.0.0/16 daddr 172.26.0.0/16 ACCEPT;
saddr 172.27.0.0/16 daddr 172.27.0.0/16 ACCEPT;
saddr 172.28.0.0/16 daddr 172.28.0.0/16 ACCEPT;
saddr 172.29.0.0/16 daddr 172.29.0.0/16 ACCEPT;
saddr 172.30.0.0/16 daddr 172.30.0.0/16 ACCEPT;
saddr 172.31.0.0/16 daddr 172.31.0.0/16 ACCEPT;
saddr @ipfilter($DOCKER_RANGE) daddr @ipfilter($DOCKER_RANGE) REJECT;
saddr @ipfilter($DOCKER_RANGE) ACCEPT;
daddr @ipfilter($DOCKER_RANGE) ACCEPT;
}
}
# Create MASQUERADE for IPv4 ranges
table nat {
chain POSTROUTING {
saddr @ipfilter($DOCKER_RANGE) MASQUERADE;
}
}
}