Hello, how do I setup containers so that outside devices can communicate with the container only by accessing <host address>:<mapped port>, just like docker sets this up automatically. I’ve tried setting firewall like this:
LAN-CONTAINER firewall
name LAN-CONTAINER {
default-action reject
default-log
rule 5 {
action accept
description "Allow Established/Related Traffic"
log
state established
state related
}
rule 10 {
action accept
description "Allow DNS"
destination {
port 53
}
log
protocol tcp_udp
state new
}
rule 15 {
action accept
description "Allow HTTP"
destination {
address 10.0.0.1
port 80
}
log
protocol tcp
state new
}
}
10.0.0.1 is the host address.
When I tried this, the http://10.0.0.1:80 fails, but without it I can access the page by http://<container address>:80 which is something I do not want to be possible.
Also there was something with WAN logs that was bothering me. I have set up pi-hole that is listening on every interface on port 80. In my WAN-CONTAINER logs there is something like this:
Mar 29 18:38:04 kernel: [ipv4-NAM-WAN-CONTAINER-30-D]IN=pppoe0 OUT=pod-pihole-net MAC= SRC=87.121.69.52 DST=172.16.0.10 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=46270 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
172.16.0.10 is pi-hole address. It would not bother me if there wasn’t also a log on WAN-LOCAL like this:
Mar 29 16:34:24 kernel: [ipv4-NAM-WAN-LOCAL-30-D]IN=pppoe0 OUT= MAC= SRC=137.184.255.33 DST=<MY PUBLIC IP> LEN=49 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=UDP SPT=59536 DPT=80 LEN=29
How can there be both logs like this at the same time? I asked my friend to try to access my network on port 80 and his address appeared only in WAN-CONTAINER logs.
There was also a log like this:
Mar 28 22:11:08 kernel: [ipv4-NAM-WAN-LOCAL-30-D]IN=pppoe0 OUT= MAC= SRC=10.0.30.4 DST=<MY PUBLIC IP> LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=17022 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
I tried traceroute, but I think I was blocked by ISP, so how could this private ip reach me? I would be really grateful if anyone could explain these.
whole config
container {
name pihole {
cap-add net-bind-service
description "Pi-hole DNS"
environment FTLCONF_LOCAL_IPV4 {
value 10.0.0.1
}
image pihole/pihole:latest
network cont-net {
address 172.16.0.10
}
port dns-tcp {
destination 53
listen-address 10.0.0.1
protocol tcp
source 53
}
port dns-udp {
destination 53
listen-address 10.0.0.1
protocol udp
source 53
}
port http {
destination 80
protocol tcp
source 80
}
restart always
volume etc-dnsmasq.d {
destination /etc/dnsmasq.d
source /config/pihole/etc-dnsmasq.d
}
volume etc-pihole {
destination /etc/pihole
source /config/pihole/etc-pihole
}
}
network cont-net {
prefix 172.16.0.0/24
}
}
firewall {
ipv4 {
name CONTAINER-LAN {
default-action accept
}
name CONTAINER-LOCAL {
default-action accept
}
name CONTAINER-WAN {
default-action accept
}
name LAN-CONTAINER {
default-action reject
default-log
rule 5 {
action accept
description "Allow Established/Related Traffic"
log
state established
state related
}
rule 10 {
action accept
description "Allow DNS"
destination {
port 53
}
log
protocol tcp_udp
state new
}
rule 15 {
action accept
description "Allow HTTP"
destination {
port 80
}
log
protocol tcp
state new
}
}
name LAN-LOCAL {
default-action accept
}
name LAN-WAN {
default-action accept
}
name LOCAL-CONTAINER {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name WAN-CONTAINER {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
rule 30 {
action drop
description "Log invalid"
log
state invalid
state new
}
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
rule 20 {
action accept
protocol icmp
state new
}
rule 30 {
action drop
description "Log invalid"
log
state invalid
state new
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
rule 10 {
action accept
description "Allow Wireguard access"
destination {
port 51820
}
log
protocol udp
state new
}
rule 20 {
action accept
protocol icmp
state new
}
rule 25 {
action drop
description "Block SSH access from WAN"
destination {
port ssh
}
protocol tcp
}
rule 30 {
action drop
description "Log invalid"
log
state new
state invalid
}
}
}
zone CONTAINER {
default-action drop
from LAN {
firewall {
name LAN-CONTAINER
}
}
from LOCAL {
firewall {
name LOCAL-CONTAINER
}
}
from WAN {
firewall {
name WAN-CONTAINER
}
}
interface pod-cont-net
}
zone LAN {
default-action drop
from CONTAINER {
firewall {
name CONTAINER-LAN
}
}
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface eth1
interface wg0
}
zone LOCAL {
default-action drop
from CONTAINER {
firewall {
name CONTAINER-LOCAL
}
}
from LAN {
firewall {
name LAN-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from CONTAINER {
firewall {
name CONTAINER-WAN
}
}
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
interface pppoe0
}
}
interfaces {
ethernet eth0 {
hw-id xx:xx:xx:xx:xx:9e
}
ethernet eth1 {
address 10.0.0.1/24
description LAN
hw-id xx:xx:xx:xx:xx:e8
}
ethernet eth2 {
description WAN
hw-id xx:xx:xx:xx:xx:e9
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password xxxxxx
username xxxxxx
}
mtu 1492
no-peer-dns
source-interface eth2
}
wireguard wg0 {
address 10.0.1.1/24
description "Wireguard VPN"
peer Phone {
allowed-ips 10.0.1.10/32
persistent-keepalive 15
public-key ****************
}
port 51820
private-key xxxxxx
}
}
nat {
source {
rule 100 {
outbound-interface {
name pppoe0
}
source {
address 10.0.0.0/24
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface {
name pppoe0
}
source {
address 172.16.0.0/24
}
translation {
address masquerade
}
}
rule 102 {
outbound-interface {
name pppoe0
}
source {
address 10.0.1.0/24
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name xxxxxx {
subnet 10.0.0.0/24 {
default-router 10.0.0.1
lease 7200
name-server 10.0.0.1
range 0 {
start 10.0.0.150
stop 10.0.0.250
}
}
}
}
ntp {
allow-client xxxxxx
address xxx.xxx.0.0/0
address ::/0
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
ssh {
disable-host-validation
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
}
}
}
name-server 10.0.0.1
option {
startup-beep
time-format 24-hour
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}