After several csf automatic update disasters and some new Docker installations rendering my custom rules useless, I have started thinking about using bare Iptables instead of any Iptables wrappers.
After reading this article about the (relatively) new DOCKER-USER chain, I have been highly motivated to write my own pure Iptables based firewall rules for Docker. As it was the documented and official way of implementing our own Iptables rules, restarting firewall or containers would not break something that already works.
Luckily, Iptables with it’s extensions, is powerful enough to handle “the most of” the complex situations that csf or any Iptables wrapper can handle, including any daemons that inspect syslog and do some magical stuff. Solutions to many pre-defined issues could be easily implemented using just pure Iptables rules.
Using an Iptables wrapper like csf, ufw, firewalld etc… and trying to keep that wrapper compatible with Docker, testing if compatibility is broken on every Docker or the wrapper update, is much more harder than writing your own Iptables rules once, according to the Docker documentation.
In conclusion, I have implemented my own Docker compatible Iptables rules that include some pre-defined protection patterns and examples including DoS/DDoS protection, connection limiting (even some kind of ssh bruteforce protection), port scanning protection, ping limitation, detecting port knocking patterns, blacklisting with timeout support etc… These are all implemented with pure Iptables rules.
And, here is sptables – Pure Iptables firewall for servers.
sptables is a basic pure Iptables firewall for servers that also comes with Docker compatibility. sptables includes example pure Iptables rules against some known attack patterns. Actually, sptables consists of Iptables, Ipset, Sysctl configuration files and start, stop, reload, save scripts with a Systemd unit file. Plase also see this article about the power of Iptables for examples and configuration code snippets from sptables.
You can share this blog post only by giving appropriate credit as described at Terms & Conditions.