Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
222/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
Anywhere on podman1 ALLOW Anywhere
443/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
Anywhere on podman0 ALLOW Anywhere
Anywhere on podman2 ALLOW Anywhere
Anywhere on podman3 ALLOW Anywhere
Anywhere on podman4 ALLOW Anywhere
Anywhere on podman5 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
222/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Anywhere (v6) on podman1 ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
Anywhere (v6) on podman0 ALLOW Anywhere (v6)
Anywhere (v6) on podman2 ALLOW Anywhere (v6)
Anywhere (v6) on podman3 ALLOW Anywhere (v6)
Anywhere (v6) on podman4 ALLOW Anywhere (v6)
Anywhere (v6) on podman5 ALLOW Anywhere (v6)
Anywhere on podman1 ALLOW FWD Anywhere on ens3
Anywhere on podman0 ALLOW FWD Anywhere on ens3
Anywhere on podman2 ALLOW FWD Anywhere on ens3
Anywhere on podman3 ALLOW FWD Anywhere on ens3
Anywhere on podman4 ALLOW FWD Anywhere on ens3
Anywhere on podman5 ALLOW FWD Anywhere on ens3
Anywhere (v6) on podman1 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman0 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman2 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman3 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman4 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman5 ALLOW FWD Anywhere (v6) on ens3
This neither seems secure, nor extensible when I add another network. Is there some ‘best practices’ for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!
EDIT: Sorry for missing an important detail, I am running rootful podman with (userns=auto).
Thanks, though Shorewall looks intimidating. Do you have any good resources to go over how to set it up?
For so many Linux server packages I find the manual to be more of a reference than a guide, so not very useful if you’re just getting started and aren’t sure what to do, but Shorewall is an exception, its manual is wonderful and Tom the creator really goes into detail about how to fit it into many different setups.
https://shorewall.org/GettingStarted.html
You’ll probably want to follow the two interface guide, the two interfaces in your case are your public IP interface, and the virtual interface connected to the Podman network side. You’ll essentially treat shorewall as a firewall/router for your Podman containers which will act as your “LAN” in this case. The warning about not installing Shorewall on a remote system is not to be ignored, you’re generally fine to install the package, but do not start the shorewall service without first setting up some rules to allow SSH. The safest way is to log in via your VPS console instead of SSH to keep you from getting locked out. Most VPS providers have some sort of out-of-band connection utility like VNC or a simple console access you’ll want to use.