Firewalld forward external connections to container service listening on localhost

Question

Im a little confused about firewalld and I am trying to secure docker containers by using docker-compose to force the container to listen only on localhost:

 docker-compose ps
   Name                     Command               State            Ports          
--------------------------------------------------------------------------------------
srv_postgres-srv_1   /docker-entrypoint.sh postgres   Up      127.0.0.1:5432->5432/tcp

services:

 postgres-srv:
  image: postgres:9.5.5
  volumes:
   - postgres-srv_volume:/var/lib/postgresql/data
  ports:
   - "127.0.0.1:5432:5432"

volumes:
 postgres-srv_volume:

But when I try to use firewalld to forward external traffic to it, connections are refused. My firewalld configuration so far:

     public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports:
  protocols: 
  masquerade: yes
  forward-ports: port=5432:proto=tcp:toport=5432:toaddr=127.0.0.1
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.1.1/32" port port="5432" protocol="tcp" accept

Please what am I doing wrong?

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. — jww, Mar 20 '18 at 23:38
Thanks. And thanks for the downvotes. That'll make sure I always want to use this site, I'm certain. — Unpossible, Mar 21 '18 at 00:41

Unpossible · Accepted Answer · 2018-03-20T23:13:02.033

Im not sure this is absolutely the right thing to do, but in order to port-forward to the container, thanks to the information here: Assign Static IP to Docker Container, I did the following:

I forced the container to have a static address (forcing it to listen on localhost for connections now seems redundant), by setting these in the docker-compose file:

version: '2'

services:

 postgres-srv:
  image: postgres:9.5.5
  volumes:
   - postgres-srv_volume:/var/lib/postgresql/data
  networks:
   static-network:
     ipv4_address: 172.18.0.2
  ports:
   - "127.0.0.1:5432:5432"

volumes:
 postgres-srv_volume:

networks:
  static-network:
    ipam:
     config:
      - subnet: 172.18.0.0/16
        ip_range: 172.18.0.0/16

2 Then I port-forwarded in firewalld like so:

    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: dhcpv6-client ssh
      ports: 
      protocols: 
      masquerade: yes
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
            rule family="ipv4" source address="192.168.0.1/24" forward-port port="5432" protocol="tcp" to-port="5432" to-addr="172.18.0.2"

Now I still cant get the container to listen on localhost from outside, but I can portforward to the static container IP. Please tell me if this is the right thing to do.

Firewalld forward external connections to container service listening on localhost

1 Answers1