centos firewall docker firewalld: Updated Fri, 20 May 2022 06:22:17 GMT

How to configure Centos 7 firewallD to allow docker containers free access to the host's network ports?

I have docker installed on CentOS 7 and I am running firewallD.

From inside my container, going to the host (default 172.17.42.1)

With firewall on

container# nc -v  172.17.42.1  4243
nc: connect to 172.17.42.1 port 4243 (tcp) failed: No route to host

with firewall shutdown

container# nc -v  172.17.42.1  4243
Connection to 172.17.42.1 4243 port [tcp/*] succeeded!

I've read the docs on firewalld and I don't fully understand them. Is there a way to simply allow everything in a docker container (I guess on the docker0 adapter) unrestricted access to the host?

Solution

Maybe better than earlier answer;

firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --add-port=4243/tcp
firewall-cmd --reload

Comments (5)

+0 – I believe the add-port is superfluous. If docker0 is marked trusted, that port will be let through anyway. — Jan 19, 2016 at 14:11
+7 – @MattHughes It worked for me without the add-port. You also need to restart docker. — May 11, 2016 at 11:57
+1 – Worked after firewalld restart, not docker — Apr 14, 2019 at 18:48
+2 – This induced Error creating default "bridge" network: Failed to program NAT chain: ZONE_CONFLICT: 'docker0' already bound to a zone for me, even after a full reboot — Jan 28, 2021 at 00:48
+1 – @Hassan No; this whole thing is a nightmare to me. I've switched to an external firewall because of it. I think that we may just be screwed until #461 is resolved. — Apr 13, 2021 at 22:52

References

https://unix.stackexchange.com/questions/199966