# Docker Firewall Configuration

**Source:** [Firewalld Strict Docker Filtering](https://firewalld.org/2024/04/strictly-filtering-docker-containers "Firewalld Project Blog")

## Preparation

Required parts:

Install firewalld and activate service:

```bash
pacman -Syu firewalld
systemctl enable --now firewalld.service
```

Disable any other firewall services.

Disable iptables for docker by adding or changing `/etc/docker/daemon.json` by adding the following config options:

```json
{
  "iptables": false
}
```

After changing this config file, restart the Docker daemon to apply the previous change:

```bash
systemctl restart docker.service
```

<p class="callout info">As a result of the previous steps, only allowed ports on firewalld are accessible from the outside. However containers are now unable to connect outbound to the internet.</p>

### firewalld Configuration

### Allow internet access for Docker containers

We need to allow masquerading to allow traffic from the Docker zone to the internet:

```bash
# Running this command allows your containers to reach out to the internet
firewall-cmd --permanent --zone=home --add-masquerade
# Since we used the --permanent flag, we need to reload the firewall for the changes to take effect
firewall-cmd --reload
```

<p class="callout info">Docker creates a zone in firewalld specifically for its bridge network interfaces for each container network along with the docker0 interface.</p>

To fix networking for containers that are not connected to a docker network, add your network interface connected to the network to the masqueraded zone.