Nginx-proxy: What Firewall rules do I need for nginx-proxy?

Created on 17 Nov 2015  路  3Comments  路  Source: nginx-proxy/nginx-proxy

I have a simple nginx-proxy setup: (where subdomain.example.com is replaced with my domain)

docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
docker run -e VIRTUAL_HOST=subdomain.example.com kdelfour/cloud9-docker

It works with no problem when I have my firewall off. When I have my firewall on, I get a 504 Gateway Time-out error from nginx. This means that I'm able to see nginx on port 80, but my firewall rules seem to be restricting container-to-container and/or Docker API traffic.

Before I delve into the subject of Docker firewall rules, I thought I would ask if anyone has been down this path before. What firewall rules (preferably iptables) do in need to allow nginx-proxy to work? Thanks.

picture TravisDart
👍1

Most helpful comment

I posted a question on Stackoverflow and it turns out there was a problem with the FORWARD chain, which I fixed by adding:

iptables -A FORWARD -i docker0 -j ACCEPT

Beats me how no one else has had this problem, but whatever. It's fixed.

picture TravisDart on 20 Nov 2015
🎉1 👍1

All 3 comments

Have not run into this myself. Are you blocking the docker bridge or have ICC disabled?

jwilder picture jwilder on 17 Nov 2015

ICC is a Docker setting, so that wouldn't change when I turn my firewall on or off. I have rules to forward between docker0 and eth0, but I may still be blocking traffic on the docker0 bridge.

I did some research, but didn't find anything that addressed my particular situation. If my situation isn't common, perhaps this is a question for Stackoverflow. For the sake of completeness, though, I'll post the details of my setup. I'm running Ubuntu 15.04 and Docker 1.7.1. These are my iptables rules (these break nginx-proxy):

# Based on tutorial from http://www.thegeekstuff.com/scripts/iptables-rules / http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

# Delete existing rules
iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow inbound/outbound SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow inbound/outbound HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow inbound/outbound HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# Allow outbound NTP
iptables -A OUTPUT -p udp -o eth0 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 123 -j ACCEPT

# This bit is from https://blog.andyet.com/2014/09/11/docker-host-iptables-forwarding
# Docker Rules: Forward chain between docker0 and eth0.
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
ip6tables -A FORWARD -i docker0 -o eth0 -j ACCEPT
ip6tables -A FORWARD -i eth0 -o docker0 -j ACCEPT

iptables-save > /etc/network/iptables.rules

And, this is what I mean when I say "firewall off": (It works with these settings.)

iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
TravisDart picture TravisDart on 17 Nov 2015
👍1

I posted a question on Stackoverflow and it turns out there was a problem with the FORWARD chain, which I fixed by adding:

iptables -A FORWARD -i docker0 -j ACCEPT

Beats me how no one else has had this problem, but whatever. It's fixed.

TravisDart picture TravisDart on 20 Nov 2015
🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

reyman picture reyman  路  3Comments
lagivan picture lagivan  路  3Comments
auzty picture auzty  路  3Comments
mroberty8 picture mroberty8  路  3Comments
renfyld picture renfyld  路  3Comments