Make CSF work with docker

[shunkica]

Is there any guide or recommended approach to get CSF working with Docker?

I have set DOCKER=1 in csf.conf but that does not seem to do what I expect.

I have nginx running on the host as a proxy which proxies requests to containers listening on 127.0.0.1

Eg:
nginx listens on 0.0.0.0:443, terminates ssl, proxies to 127.0.0.1:8080 (docker container)

But when I try to access this site I get:

[344812.530288] Firewall: *TCP_OUT Blocked* IN= OUT=br-c7c26ee1b731 SRC=172.18.0.1 DST=172.18.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21002 DF PROTO=TCP SPT=56218 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0 UID=0 GID=0 

Have also tried adding this to csf.allow

tcp|out|d=172.16.0.0/12
udp|out|d=172.16.0.0/12

But the error persists.

Also adding DOCKER=1 on Debian 13 results in some errors when restarting csf:

Initializing csfpost: /usr/local/csf/bin/csfpost.sh
   STATUS              Script /usr/local/csf/bin/csfpost.sh loading post.d initialzation scripts in folder /usr/local/include/csf/post.d 
   OK                  Loaded 0 post.d initialization scripts 
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Binary location for [UNZIP] [/usr/bin/unzip] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET
*ERROR* line:[1431]
Command:[/sbin/iptables --wait -v -t nat -A POSTROUTING -s  ! -o  -j MASQUERADE]
Error:[Bad argument `MASQUERADE']
You should check through the main output carefully

*ERROR* line:[1432]
Command:[/sbin/iptables --wait -v -A FORWARD -o  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
Error:[Bad argument `conntrack']
You should check through the main output carefully

*ERROR* line:[1433]
Command:[/sbin/iptables --wait -v -A FORWARD -i  ! -o  -j ACCEPT]
Error:[Bad argument `ACCEPT']
You should check through the main output carefully

What does work is adding 8080 to TCP_OUT but I suspect that is not the proper way to handle this.

[Aetherinox]

So, the short version is this.

The current docker functionality in CSF is limited.

A long time ago, I wrote this https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/extras/scripts/docker.sh

However, that script is from roughly months ago. It makes docker and CSF work much better. But I need to either

1. Integrate this functionality into CSF
2. Update the helper script to make it much more user-friendly

Because the current functionality of my script loops through your entire docker network and adds those docker lan IPs to the CSF whitelist. However, some people may not want that. It doesn't open the port so that the outside world can access it, it simply allows for communication to happen locally. Then you can attach the docker container to things like Traefik.

If you want, you can open the helper script I linked, and see the process I use in there to grant a container access to get by CSF. The iptable rules sit in there.

I just need to dedicate some time to polishing CSF / Docker integration, but there's a bunch of stuff on the list right now I'm trying to push out.