I have custom container with VPN inside, with following iptables rules inside container:
# Flush all existing rules and chains
iptables -F
iptables -X
# Set default policies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow loopback traffic (localhost)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow vpn to be connected
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
while IFS=' ' read -r host port; do
iptables -A OUTPUT -o eth0 -p udp --dport $port -d $host -j ACCEPT
done < "/tmp/entries"
iptables -A OUTPUT -o ${VPN_DEVICE} -j ACCEPT
# allow vnc to be connected
iptables -A INPUT -i eth0 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 5800 -m state --state ESTABLISHED -j ACCEPT
# allow deluge to be connected
iptables -A INPUT -i eth0 -p tcp --dport 8112 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 8112 -m state --state ESTABLISHED -j ACCEPT
# allow deluge to access external world
iptables -A INPUT -i ${VPN_DEVICE} -p tcp --dport 6881:6891 -j ACCEPT
iptables -A OUTPUT -o ${VPN_DEVICE} -p tcp --dport 6881:6891 -j ACCEPT
iptables -A INPUT -i ${VPN_DEVICE} -p udp --dport 6881:6891 -j ACCEPT
iptables -A OUTPUT -o ${VPN_DEVICE} -p udp --dport 6881:6891 -j ACCEPT
whole idea to drop all in/out traffic by default; allow only vpn server output traffic for eth0; allow exposed ports 5800 & 8112 for eth0 to get my services accessible; expose torrent client to external world from VPN device.
Also I have following compose file to bring up container with iptables rules above:
version: "2.1"
services:
vpn:
build: ./
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
volumes:
- ./volumes/vpn-config:/vpn-config
- ./volumes/deluge-config:/deluge-config
- ./volumes/downloads:/downloads
- ./volumes/firefox-profile:/config
- ./volumes/downloads:/config/downloads
ports:
- 40001:5800
- 40002:8112
restart: unless-stopped
Main problem here - port 40001 and 40002 working fine from host machine, but does not work from other machines from same network. While other containers exposed ports is fine(tested with nginx hello-world container).
Anything suspicious places here I can change or pay attention to ensure ports 40001 and 40002 are reachable from other machines?