Iptable configuration to limit access to the ZeroLock® Management Console.
iptables configuration
The settings discussed are for a stand-alone system with no other Docker containers running on the system other than the ZeroLock® containers. These settings may not be required in your installation.
Bridge networking is used for communications between containers. The default assigned range is 172.238.0.0 → 172.238.0.6.
For the examples below, the external network interface is ‘eth0’.
INPUT table
The following command allows the bridge networked containers to communicate with each other and restricts access from the external network card.
sudo iptables -A INPUT ! -i {extNetworkinterface} -s 172.0.0.0/8 -d 172.0.0.0/8 -j ACCEPT
Docker User
- The following command limits access to the ZeroLock Management Console port to the external interface.
sudo iptables -I DOCKER-USER 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
- The following commands limit access to the ZeroLock Collector port to the external network interface.
sudo iptables -I DOCKER-USER 2 -i {extNetworkinterface} -p tcp --dport 7443 -d 172.238.0.5 -j ACCEPT
sudo iptables -I DOCKER-USER 3 -i {extNetworkinterface} -p tcp --dport 443 -d 172.238.0.6 -j ACCEPT - The following command drops all IP packets from the external interface that do not match the two above. The following setting locks down all the port forwarding to the containers. It helps limit access to the database port (3306) so that it is not reachable from outside the box.
sudo iptables -I DOCKER-USER 4 -i {extNetworkinterface} -p tcp -j DROP
Iptable Example
