Shorewall with docker

Question

I'm trying to enable docker support in shorewall (version 5.1.3.2). I've followed guide http://shorewall.org/Docker.html .

However when I try to start shorewall I get the following error:

* Starting shorewall ...iptables-restore v1.6.1: Couldn't load target `DOCKER-INGRESS':No such file or directory

Error occurred at line: 39
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
iptables-restore v1.6.1: Couldn't load target `DOCKER-INGRESS':No such file or directory

Error occurred at line: 14
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: /sbin/iptables-restore Failed.
Terminated
[ !! ]
* ERROR: shorewall failed to start

I've tried both to start docker before shorewall or shorewall before docker but I always got the same issue.

How can I solve this issue?

Thanks

It would be helpful to give some more information so someone can reproduce. Off the top of my head: The commands used, Docker version, host OS version, current `iptables -L` and `iptables -L -t nat` outputs, and maybe `ip addr` output. — Andy Shinn, Sep 17 '17 at 03:33

Jordan Deyton · Answer 1 · 2020-12-19T18:44:14.577

Officially, Docker swarm is not supported by Shorewall:

Beginning with Shorewall 5.0.6, Shorewall has native support for simple Docker configurations. ... Shorewall currently doesn't support Docker Swarm mode.

You may have some luck as I have with the approach described here. My shorewall rules are too strict, so I had to tweak the script listed in the comments of that article with one that prepends rules.

The workaround is to create two files, /etc/shorewall/init and /etc/shorewall/stop, with this content:

rules=/etc/shorewall/.docker_rules
if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' > $rules
    iptables -t nat -S | grep -i docker > $rules.nat
    grep '^-N' $rules.nat >> $rules
    tac $rules.nat | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.nat
    echo 'COMMIT' >> $rules

    echo '*filter' >> $rules
    iptables -t filter -S | grep -i docker > $rules.filter
    grep '^-N' $rules.filter >> $rules
    tac $rules.filter | sed -n 's/^-A \([^ ]\+\) /-I \1 1 /p' >> $rules
    rm -f $rules.filter
    echo 'COMMIT' >> $rules
fi

Then you create /etc/shorewall/start with this content:

rules=/etc/shorewall/.docker_rules
if [ -f $rules ]; then
    iptables-restore -n < $rules
    rm -f $rules
fi

If you try this, I must really repeat the warnings about rules/scripts from the net: You should carefully review the resulting iptables rules to ensure you have not exposed your network unnecessarily and that the rules work as expected.

Daniele Cruciani · Answer 2 · 2020-02-03T11:23:05.843

2

This is related to docker swarm mode, it creates a DOCKER-INGRESS rule chain, that is not managed by shorewall. As far I can tell, nobody asked for adding that rule chain management in shorewall. There should be a workaround for this, like skipping, or saving/restoring a chain by name in shorewall, like this

edited Feb 03 '20 at 11:23

answered Jul 09 '18 at 16:36

Daniele Cruciani

121
7

1

this scripts does not work because iptables-save format is changed, I tried by adding | sed 's/-N \(.*\)/:\1 - [0:0]/g' that transform output in the right format. But then I found that DOCKER-INGRESS problem is related to the way shorewall manage docker rules, saving a rule that refer that chain without including the declaration of that DOCKER-INGRESS chain And actually that is the problem. – Daniele Cruciani Jan 18 '19 at 19:51

score 0 · Answer 3 · answered Jan 27 '20 at 11:46

0

check in shorewall.conf if you have enabled Docker support:

DOCKER=Yes

answered Jan 27 '20 at 11:46

Lluís

425
1
4
22

Shorewall with docker

3 Answers3