Re: Mixing firewall tools

[Dan Ritter <dsr@randomstring.org>]

On Sat, Feb 25, 2017 at 07:54:32PM +1300, Richard Hector wrote:
> I have a machine with a hand-rolled firewall script, which just runs
> iptables commands - all well and good.
> 
> The trickiest bits are for my LXC containers; I need to forward ports
> etc - but that's ok.
> 
> The complications start when I add fail2ban - now I have an extra bit in
> my init script that reloads fail2ban after reloading my script, because
> my script does a flush of all existing rules. This is now getting ugly,
> but it still worked.
> 
> Does anyone have better ideas for that stage? Do any of the many
> firewall tools cope with this adequately?


Take a step back and describe your topology, please.

Remember that fail2ban needs to run on the "machine" (host or
container or VM or whatever) where both the daemon logs are
stored and iptables decisions can be made. In order to cleanly
accomplish that, you should have a fail2ban instance and an
iptables instance inside each machine, and leave the host
firewall to take care of the host and generically handle any
needed NAT.

If you can, it's cleaner and easier to give an IP address to
each machine and use routing instead of NAT. Push NAT to the
perimeter of your network.

> Now the biggie: I want to add Docker. Docker wants to do its own thing
> with iptables. Do I need to resort to just telling Docker to keep its
> hands off, and do everything myself?

Doing Docker and LXC at the same time is oddly duplicative. But
the same principles apply.

-dsr-