Minecraft Docker rewriting IP tables
Running a minecraft server in a docker container on an Alma Linux VM and I noticed a weird issue when I reloaded my firewall rules after blocking an IP address. Players are able to ping and connect to the server, but get kicked out because "the auth servers are not available".
In the logs, it looks like players are connecting from a 172.0.x.x address instead of their public IPv4.
After doing some more digging, it looks like Docker and the software firewall I am using (CSF) are both rewriting the iptables chains, so the routing for the docker proxy service gets wonky.
After restarting the Docker daemon, everything works fine again, but it turns out CSF is being bypassed by the docker port forwarding rules.
I am a noob at iptables. Can anyone point me in the right direction of how to get my docker container behind CSF properly? From what I have found online, I either need a pre script or post script for csf to make sure the iptables stuff for Docker is not overwritten. Anyone have any examples?
3 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by gkr_grey#0
Set docker to listen on 127.0.0.1:<port> instead of just the port number
Your docker run command for services you do not want to be accessible should look like “docker run -p 127.0.0.1:25565:25565”
Of course you can swap any interface IP in there
would it be like that in docker-compse.yml too? I think because I am using docker compose and an nginx proxy container as well, it is using a docker proxy service that does not play nice with CSF
ip a shows that docker0 is 172.17.0.1 should I set it to that? the other bridge device shows 172.18.0.1
Getting
Going to give this a try https://github.com/juli3nk/csf-post-docker kind of a shock to me that all of my docker containers have been this exposed and I have not known about it. Luckily it has just been development stuff and not production
If there are any IPtables wizards out there that can help explain, please help me out
this was a typo on my part, should have been 127.0.0.1
got it working. had to edit that docker.sh bash script from github because it had bugs. added a
if [ "$src_ip" -ne " " ]; then and now I tested it and csf is successfully blocking access to port 443 if I add my ip to the deny list. If anyone is curious exactly what I did, pm me. I am still a total iptables noob and don't understand what is going on, but atleast csf and lfd are infront of docker and the minecraft server is working