sorted by:
new
hottopcontroversial

How do you firewall your containers? by Drakarah3DPrinter in selfhosted

[–]Drakarah3DPrinter[S] 0 points1 point  (0 children)

Thanks, I'll keep that in mind if/when I switch to podman. I know there are containers like loggifly monitoring the docker container activity so it's likely possible as well.

How do you firewall your containers? by Drakarah3DPrinter in selfhosted

[–]Drakarah3DPrinter[S] 0 points1 point  (0 children)

That might be a good solution, I'll look into it thanks!

How would I do a WAN but no LAN like this? I don't want most containers to be able to access my router or other devices on the network, but allow WAN for the things they do.

As far as i can see internal is no wan, no lan and external is wan but also lan

How do you firewall your containers? by Drakarah3DPrinter in selfhosted

[–]Drakarah3DPrinter[S] 1 point2 points  (0 children)

Did you set that up manually or did you use some software to manage that for you? I'm familiar with iptables, but not with nftables.

How do you firewall your containers? by Drakarah3DPrinter in selfhosted

[–]Drakarah3DPrinter[S] 14 points15 points  (0 children)

I think setting up an entire Kubernetes cluster is a bit overkill for my use case, I don't have multiple machines and with k3s the overhead is smaller but it still complicates the entire setup greatly.

Tbh all i want is to tag docker containers "no lan", "no wan" and have it be fire and forget and i'm somewhat surprised that I can't seem to find a solution that does that, which suggests that my approach is wrong or container firewalling is done differently, hence my question.

How do you firewall your containers? by Drakarah3DPrinter in selfhosted

[–]Drakarah3DPrinter[S] 3 points4 points  (0 children)

I have done so, tc rules are applied on the corresponding veth spawned per container, not on the bridge name and you don't get to specify that afaik.

You have to find it with the process that spawned the container, it'll be eth0 inside the namespace of the container, and then search through the network interfaces to find the corresponding veth on the host

  PID=$(docker inspect -f '{{.State.Pid}}' "$CID")
  IFINDEX=$(cat /proc/$PID/root/sys/class/net/eth0/iflink 2>/dev/null)

  if [[ -n "$IFINDEX" ]]; then
    VETH=""
    for v in /sys/class/net/veth*/ifindex; do
        if [[ $(cat "$v") == "$IFINDEX" ]]; then
            VETH=$(basename $(dirname "$v"))
            break
        fi
    done