Чтобы иметь возможность устанавливать детальные правила для Docker, мне не нужно было устанавливать docker0 в какую-либо зону.
# 1. Stop Dockersystemctl stop docker
# 2. Recreate DOCKER-USER chain in firewalld. firewall-cmd --permanent \ --direct \ --remove-chain ipv4 filter DOCKER-USERfirewall-cmd --permanent \ --direct \ --remove-rules ipv4 filter DOCKER-USERfirewall-cmd --permanent \ --direct \ --add-chain ipv4 filter DOCKER-USER# (Ignore any warnings)
# 3. Docker Container <-> Container communicationfirewall-cmd --permanent \ --direct \ --add-rule ipv4 filter DOCKER-USER 1 \ -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT \ -m comment \ --comment 'Allow docker containers to connect to the outside world'firewall-cmd --permanent \ --direct \ --add-rule ipv4 filter DOCKER-USER 1 \ -j RETURN \ -s 172.17.0.0/16 \ -m comment \ --comment 'allow internal docker communication'# Change the Docker Subnet to your actual one (e.g. 172.18.0.0/16)
# 4. Add rules for IPs allowed to access the Docker exposed ports.firewall-cmd --permanent \ --direct \ --add-rule ipv4 filter DOCKER-USER 1 \ -o docker0 \ -p tcp \ -m multiport \ --dports 80,443 \ -i eth0 \ -o docker0 \ -s 1.2.3.4/32 \ -j ACCEPT \ -m comment \ --comment 'Allow IP 1.2.3.4 to docker ports 80 and 443'
# 5. log docker traffic (if you like)firewall-cmd --direct \ --add-rule ipv4 filter DOCKER-USER 0 \ -j LOG \ --log-prefix ' DOCKER: '
# 6. Block all other IPs. This rule has lowest precedence, so you can add allowed IP rules later.firewall-cmd --permanent \ --direct \ --add-rule ipv4 filter DOCKER-USER 10 \ -j REJECT \ -m comment \ --comment 'reject all other traffic to DOCKER-USER'
# 7. Reload firewalld, Start Docker againfirewall-cmd --reloadsystemctl start docker
Это заканчивается правилами, определенными в /etc/firewalld/direct.xml:
<?xml version="1.0" encoding="utf-8"?><direct> <chain ipv="ipv4" table="filter" chain="DOCKER-USER"/> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="0">-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow docker containers to connect to the outside world'</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="0">-j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="0">-p tcp -m multiport --dports 80,443 -s 1.2.3.4/32 -j ACCEPT -m comment --comment 'Allow IP 1.2.3.4 to docker ports 80 and 443'</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="0">-j LOG --log-prefix ' DOCKER TCP: '</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="10">-j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'</rule></direct>
Недостатком по-прежнему является то, что вам необходимо установить containerd.io из CentOS7, как заявил Сауструп