CIS Linux Hardened Images - installing Docker & using nftables
- Amanda McGown
Product Name
CIS Hardened Images® (AWS)
CIS Hardened Images (Azure)
CIS Hardened Images (Google Cloud Platform)
CIS Hardened Images (Oracle)
Product Version
CIS Linux Hardened Images
Date
Jul 2, 2024
Problem
Installing Docker on a CIS Hardened Linux Image (such as Ubuntu 22.04 L1) may result in unexpected networking behavior – the containers cannot communicate with the internet, host or each other despite a correct configuration being present in iptables.
Solution
The CIS Hardened Linux Images differ from their respective base (non-hardened) OS in that they use nftables for the default packet filter configuration (with presets for SSH access over port 22), and other local firewall applications such as iptables or front-ends such as ufw are disabled / not populated.
On systems using nftables, the existing filter configuration can be displayed using the command:sudo nft list ruleset
See also:
Specific to running content in Docker, the following third-party Unix StackExchange post indicates that Docker still uses iptables for its container communication filtering and default rule creation during initial deployment:
nftables whitelisting docker
If Docker is to be used on a CIS Hardened Image, it is recommended switch the Hardened Image to use iptables instead before deploying Docker, and to reconstruct the preconfigured nftables ruleset included with the Hardened Image (such as allowing inbound TCP port 22 for SSH access) as iptables rules. This ensures consistency of the desired port filter & firewall rules without the possibility of conflicts between management applications.
Note that switching package filtering systems may cause temporary connectivity loss over SSH if the existing default nftables rules are removed without disabling the firewall first.
Keywords; nftables docker container ports Linux HI
Content by Label