Docker Integration¶
Running CSF in environments that leverage Docker requires special considerations due to containerized networking and isolated interfaces. This section provides guidance on configuring CSF to recognize Docker networks, manage container IP ranges, and ensure that firewall rules do not interfere with container-to-host or container-to-container communication. Following these steps will help maintain both security and functionality in your Docker-based infrastructure.
Enable Docker Mode¶
Open your CSF config file located at /etc/csf/csf.conf and change the following setting to the value 1:
Save the file and then give CSF a restart:
Afterward, give your Docker service a restart:
What is Docker?¶
Docker is a platform that allows developers and system administrators to package applications and their dependencies into lightweight, portable containers. These containers run consistently across different environments, ensuring that software behaves the same on a developer’s laptop as it does on production servers. By isolating applications from the underlying operating system, Docker simplifies deployment, scaling, and management, making it an essential tool for modern infrastructure and DevOps practices.
While Docker containers are not full virtual machines, they function in a similar way by providing isolated environments for applications. Each container has its own filesystem, processes, and network interfaces, allowing multiple containers to run on the same host without interfering with each other. This isolation provides many of the benefits of traditional virtual machines but with far lower overhead and faster startup times.
Troubleshooting¶
The following section highlights common issues or errors you might encounter when configuring CSF to work with Docker, along with potential solutions to resolve them.
Error response from daemon: failed to set up container networking¶
After integrating CSF, you might encounter the following error when trying to start or restart a Docker container:
Error response from daemon: failed to set up container networking:
driver failed programming external connectivity on endpoint my_container (cc81da8c4XXXXXXXXX):
Unable to enable DNAT rule: (iptables failed:
iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.XX.XX.XX:80 ! -i br-6f611f185f
To correct the above error, restart your docker service:
You can now restart the Docker container again.
Conclusion¶
If you do all of the steps above, you should now be able to access the CSF web interface through your browser, with the added protection of Traefik. This will allow you to access the web interface from other locations, implement middleware such as IP whitelisting, and not expose the CSF web interface port to the world. You should NOT be allowing any connection to access the web interface, even if they don't have the username and password to sign in.
Next Steps ¶
Select what documentation you would like to proceed with next ...
-
Enhance the security of CSF by placing it behind the Authentik identity provider using a forward proxy.
This ensures that all traffic to the CSF web interface passes through Authentik, giving you centralized control over authentication and access.
With this setup, CSF is protected by modern authentication methods such as passwords, two-factor authentication (2FA), or passkeys.
-
Geographical IP Block Integration
Configure geographical restrictions in CSF to whitelist or blacklist specific regions from accessing your server.
This chapter covers enabling the GeoIP blocklist feature using third-party services such as MaxMind (requires an API key), db-ip, ipdeny, or iptoasn.
These services allow you to control access based on location while keeping your server secure.