Ansible Role: iptables for Docker (and Docker Swarm)

This Ansible role sets up firewall rules using iptables for Docker and Docker Swarm to help protect your Docker containers. It’s designed because firewalld and Docker don't work well together.

Problem Addressed

When you start a Docker container with a "published" port, that port is automatically exposed through your server's firewall, meaning anyone can access it without any control. Even if you are using iptables or another firewall, Docker ignores those rules.

Use Case

This role allows trusted IPs to access your Docker containers as well as other open system ports. You can also choose to expose certain ports to everyone. The trusted IPs can be from different networks or subnets.

I aimed for simplicity to secure Docker with a firewall, but it can be complicated. Use this at your own risk, as unknown issues could arise!

Features

• Works with Docker and Docker Swarm.
• Default setting is secure, allowing only Docker IPs to access containers.
• Simple design with minimal iptables rules for better performance.
• Automatic configuration, no manual port additions needed.
• Specify trusted IPs for communication.
• Optionally expose certain Docker and system ports to the public.
• Restrict specific network interfaces.
• Works offline, minimizing Docker disruption.
• No need for extensive iptables knowledge to use it.
• Compatibility with Docker Swarm's use of iptables.

This setup uses iptables for firewall functions and ipset to manage a list of allowed IPs.

Warnings

• Don’t lock yourself out! Make sure you have another way to access your server.
• This setup is only for IPv4; IPv6 is not tested. It’s safest to disable IPv6.
• Additional security measures may include binding ports to internal IPs for Docker.

Important: Firewalld and Docker do not work well together, so this role will fail if firewalld is running.

Tested Environments

Currently tested on:

• CentOS/RHEL 7
• Ubuntu 18.04
• Ubuntu 20.04

Default Settings

• Debug is disabled by default.
• Role is disabled by default; you'll need to enable it.
• Checks if Docker service is active and fails if it is.
• Shows configuration from variables.
• Starts the iptables service.
• Installs necessary iptables packages.

Example Configuration

Here’s a simple example of how to allow a specific IP while opening port 22 for SSH:

iptables_docker_ip_allow_set:
  - 192.168.100.1

iptables_docker_external_network_adapter:
  - "+"  # Allows all interfaces

iptables_docker_global_ports_allow_tcp:
  - 22   # Open to everyone

Running the Playbook

Make sure you verify your existing iptables rules before running this, as it could overwrite them. Use the command below to run the role:

ansible-playbook iptables_docker.yml --extra-vars "inventory=centos7 iptables_docker_managed=true" -i hosts-dev

Notes on IPset Size Limit

If you approach the max limit of allowed IPs (65536), you need to delete and recreate it with a larger size.

SELinux Workaround

There's a known issue with SELinux that affects saving iptables rules. Follow the provided steps to work around it, if necessary.

Cautions

Always test in a non-production environment first. This role modifies your firewall settings, which could lead to loss of access or exposure of services.

Conclusion

This role helps set up controlled access for Docker containers using iptables. However, always proceed cautiously and be prepared for potential issues.