bridge and firewall

  • With newest (5.5.4-1) version of OMV creating bridge over two network interfaces is straighforward - there is of course small but.

    (With docker installed from extras) iptables forwarding policy is drop so every bridge created should have its own firewall rule - like iptables -A FORWARD -i br0 -j ACCEPT.


    So there are two topics:

    1. for developers to create propper rule automatic when defining bridge

    2. what is the correct way to add this (iptable rule) to config files as a workaround.



    Real example below:


    root@N5550:~# cat /etc/netplan/60-openmediavault-br0.yaml

    network:

    ethernets:

    enp2s0:

    addresses: []

    dhcp4: false

    dhcp6: false

    enp1s0:

    addresses: []

    dhcp4: false

    dhcp6: false

    bridges:

    br0:

    addresses:

    - 192.168.1.250/24

    gateway4: 192.168.1.1

    dhcp4: false

    dhcp6: false

    link-local: []

    nameservers:

    addresses:

    - 192.168.1.1

    - 8.8.8.8

    interfaces:

    - enp2s0

    - enp1s0


    root@N5550:~# ls /sys/class/net/br0/brif/

    enp1s0 enp2s0


    root@N5550:~# iptables -vnL

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

    pkts bytes target prot opt in out source destination


    Chain FORWARD (policy DROP 0 packets, 0 bytes)

    pkts bytes target prot opt in out source destination

    38780 8147K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0

    38782 8147K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0

    0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

    0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0

    0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0

    0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

    pkts bytes target prot opt in out source destination


    Chain DOCKER (1 references)

    pkts bytes target prot opt in out source destination


    Chain DOCKER-ISOLATION-STAGE-1 (1 references)

    pkts bytes target prot opt in out source destination

    0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0

    38782 8147K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


    Chain DOCKER-ISOLATION-STAGE-2 (1 references)

    pkts bytes target prot opt in out source destination

    0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0

    0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


    Chain DOCKER-USER (1 references)

    pkts bytes target prot opt in out source destination

    38787 8150K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

    root@N5550:~#


    --

    Best regards,

    Tom.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!