hey, this script successfully fixed my Docker issues which was mainly the container networks being unable to communicate with each other. However in the process it has completely broken my VPN I can no longer pass traffic between networks or access the internet through masquerade.

I am currently doing this utilizing rules in the csfpost.sh such as

iptables -t nat -A POSTROUTING -s 10.159.3.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i wg0 -s 10.159.0.0/16 -d 10.159.4.0/24 -j ACCEPT
iptables -A FORWARD -i wg0 -s 10.159.4.0/24 -d 10.159.0.0/16 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

these rules were working great for years but after the script it doesn't matter if its in oresh or post sh they no longer function and vpn traffic does not make it through anymore. how can i fix these without killing docker again?

As title say, why do we need to have additional configuration when working with docker ?

This might be an explanation

Thanks for your answer

I realized this script exposes all docker containers to traffic from everywhere. How can I modify it to only allow local traffic while not opening up to global access?

Hello,

We have been using this script and it has been working great. But today we found a couple problems:

Let's say that you create a docker image with the port TCP 8080 exposed, but this port is not part of TCP_IN list on the csf.conf. Because the idea is to be accessed only from the allowed IPs on csf.allow. Well, the script will add a rule that will accept ALL traffic to the port TCP 8080. Even if that port is intended to be a restrictive port. Any idea how can we solve this?

Another problem is, if we use LFD to block IPs that are trying to brute force. LFD will add a rule to the chains DENYIN and DENYOUT. But those rules are never going to be hitted because there is an ACCEPT rule in the DOCKER chain created by this script. In other words, an IP blocked by LFD will never be blocked because the chain DOCKER has precedence over DENYIN chain. Any way to solve this?

Thank you!

If an IP is blocked in CSF, traffic is still reaching to Docker!

Source IP parsing is incompatible with IPv6 syntax (e.g. localhost "::" address). Such rules must be skipped.

Hello
I Have a problem when CSF has been restarted
when i try to restart the CSF i saw below error :
#csf -r

Running /usr/local/csf/bin/csfpost.sh
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
iptables v1.6.1: host/network ' not found Try iptables -h' or 'iptables --help' for more information.
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
Template parsing error: template: :1: bad character U+002D '-'
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-04-17 05:42:43 UTC; 21ms ago
Process: 11449 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 11479 (lfd - starting)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/lfd.service
└─11479 lfd - starting

Apr 17 05:42:43 s24-development systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Apr 17 05:42:43 s24-development systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled

how can i solve Template parsing error ?
thanks

This script is not running correctly when CSF refreshes the rules automatically, but works fine when used together with csf -r. According to the CSF readme any binaries inside such a script as this must be run with full paths provided:

Note: While csf runs the script with a preset PATH, you MUST use the full path
to any binaries that you execute within these scripts to ensure they are run
correctly

This post also mentions the full path criteria. I'll test that myself when I have time to monitor the effects.

The DOCKER_NET_INT assignment on line 65 of docker.sh is introducing doublequotes at the start and end of the network ID which is breaking the interface name in iptables rules on docker instances in custom networks.

DOCKER_NET_INT="br-$(docker inspect -f \"{{.NetworkSettings.Networks.${netmode}.NetworkID}}\" ${container} | cut -c -12)"

Is giving rules like:
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-"06d92cc6d20 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.18.0.3:80

needs to be changed to

DOCKER_NET_INT="br-$(docker inspect -f "{{.NetworkSettings.Networks.${netmode}.NetworkID}}" ${container} | cut -c -12)"

(i.e. remove the escaping slashes, as it looks like the $() is escaping them out already)

This gives the expected (and working) rules:
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !br-06d92cc6d200 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.18.0.3:80

PS, thanks for these two repos, you have saved me SO much hassle across our fleet!!

I still have issues with csf even when I used this script, which helps with restarts of csf in most part.

The main issue for me is that I cannot access containers from localhost (centos) via "127.0.0.1". For example "curl 127.0.0.1:5432" just hangs. Everything works when accessing with domain name:port.
This is major issue for me, because I would like to set the access only to localhost and use subdomain forwarding to localhost so that ports are not directly accessible but only through subdomain which allows using basic auth and similar features.

I'm still not very handy with "ops" part of "devops", so I might be missing something obvious, sorry about that.

Any help solving this would be much appreciated.

Thanks,
Eddie

Hi,

I first wish to thank you for the scripts.

I use them on a Ubuntu Server (20.04 LTS) with CSF 14.10.

IPv4 address for br-08c9e09e9ba7: 172.18.0.1
IPv4 address for br-f0315ad481c0: 172.19.0.1
IPv4 address for docker0: 172.17.0.1

I noticed that as soon you have multiple bridge networks such as listed above following errors appear when csf -r is executed

Running /usr/local/csf/bin/csfpost.sh
/usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected
iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.
/usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected
iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.
/usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected
iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.
/usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected
iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.
/usr/local/include/csf/post.d/docker.sh: line 106: [: !=: unary operator expected
iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.

Now I managed to fix one error in line 106 but just adding "" to ${src_ip} as you see below

if [ "${src_ip}" != "0.0.0.0" ]; then

But then I still get the error

iptables v1.8.4 (legacy): invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.

What is odd that everything works and masquerade mode is active and this only happens when multiple bridge networks are active. There are no errors when only the default Docker Bridge Network is active.

Any chance you can check the matter out.

TY In advance for your help.

Should you need testing or logs please let me know.

BR
g ;)

For bridges with name like br-9d7af61d6835 the script is not substituting the $bridge variable.
It is reproducable on the cli:

_> docker network ls -q --filter='Driver=bridge'
d79a1bf7d01a
9d7af61d6835 <--
74e6a74405a2

_> docker network inspect -f '{{"br-$bridge" | or (index .Options "com.docker.network.bridge.name")}}' 9d7af61d6835
br-$bridge

A check of bridges with a name "com.docker.network.bridge.name" is possible:
_> docker network inspect -f '{{"br-$bridge" | or (index .Options "com.docker.network.bridge.name")}}' d79a1bf7d01a
docker0

Only a minor change is needed to fix this issue:
docker network inspect -f '{{"'br-$bridge'" | or (index .Options "com.docker.network.bridge.name")}}'

I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. To test this, I login to the remote server with ssh [email protected] -L 8000:127.0.0.1:8000.

If I am starting my container with -p 8000:8000, the port 8000 is exposed to the whole world (I can access it in a browser with mydomain.com:8000, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000 I can't access it over mydomain.com:8000 (which is great), but in both cases calling localhost:8000 will result in an ERR_EMPTY_RESPONSE error in Chrome or curl: (52) Empty reply from server in the terminal from my local machine. Executing curl localhost:8000 directly on the server will result in curl: (56) Recv failure: Connection reset by peer. This means that the servers hosts system can't connect to the docker container when using 127.0.0.1.

Tried it with different containers and different ports. After disabling csf, it works without the errors so it must be related to a csf docker configuration problem.

im getting this error, rules doesnt update, lost communications with dockers containers

/usr/local/csf/bin/csfpost.sh: 43: [: default: unexpected operator
Bad argument value>/32' Tryiptables -h' or 'iptables --help' for more information.
Bad argument value>/32' Tryiptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Bad IP address "<no"