Docker Firewall Conflicts with Whonix Firewall

Support
1

I’m writing this to document my findings in case it helps someone and to see if anyone has encountered this before and has other ideas.

Firewall Conflict

Docker is known to use iptables (or iptables-nft) and conflicting with firewalls that use nftables. I see that it conflicts with whonix_firewall when running a hidden service in docker because docker creates its own interfaces (docker0 or brXXXXXXXXX) so the FORWARD rules are used (eth0 to docker0) and whonix_firewall blocks all forwarding rules by default. Docker opens forwarding rules for itself in iptables but it seems for each connection the iptables rules are checked and then the nftables rules are checked and only if both allow the connection does it succeed.

The solution is to either

  1. open firewall rules in whonix_firewall Whonix-Workstation Firewall - Whonix
  2. use socat TCP-LISTEN:80,fork TCP:10.152.152.11:8080 so the firewall allows the INPUT connection to port 80 on localhost and allows the OUTPUT connection to port 8080 of the hidden service on the docker interface.

Option 2 is the easiest. It might be more secure because it’s not introducing changes to the firewall that may be incompatible in the future.

TransPort

If the Tor TRANSPORT is disabled then you need another forwarding socat from some port on localhost like 29920 to an HTTPTunnelPort on the gateway like 9220 (socat TCP-LISTEN:29220 TCP:10.152.152.10:9220) and

  1. The docker daemon needs HTTP_PROXY and HTTPS_PROXY set to http://10.152.152.11:29220 to pull images. This should be set in the systemd override.conf file for docker using Environment=HTTP_PROXY=http://10.152.152.11:29920 and Environment=HTTPS_PROXY=http://10.152.152.11:29920
  2. --build-arg HTTP_PROXY=http://10.152.152.11:29920 --build-arg HTTPS_PROXY=http://10.152.152.11:29920 when running docker build
  3. the same environment variables need to be set inside the container if any outward network connections are needed

You can forward to a SocksPort the same way.

Apt Inside Docker

Alpine based images build fine using HTTP_PROXY/HTTPS_PROXY environment variables.

Debian based images can’t be built because apt does not like going through HTTPTunnelPort. I keep getting method not allowed because apt doesn’t use HTTP-CONNECT proxies like HTTPTunnelPort.

I don’t know what a good solution is but this is what I did:

  1. Outside the container in Whonix Workstation run apt-get download torsocks
  2. Modify the Dockerfile and add before any apt commands COPY ./torsocks*.deb /torsocks.deb and RUN dpkg -i /torsocks.deb && rm /torsocks.deb. Then modify the apt commands to HTTP_PROXY= HTTPS_PROXY= http_proxy= https_proxy= torsocks --address 10.152.152.10 --port 9180 apt ...