# Firewall setup (iptables) with ferm
* https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely

* `sudo apt install ferm`
* select no on the prompt if it should be enabled at boot
* `sudo vim /etc/ferm/ferm.conf`
```
# /etc/ferm/ferm.conf

# Default rules
domain (ip ip6) {
    table filter {
        # Default Policies
        chain INPUT {
            policy DROP;

            # respond to ping
            proto icmp ACCEPT; 

            # allow SSH connections
            proto tcp dport ssh ACCEPT;
        }

        chain OUTPUT policy ACCEPT;

        # loopback traffic
        chain INPUT interface lo ACCEPT;
        chain OUTPUT outerface lo ACCEPT;

        chain (INPUT OUTPUT) {
            # connection tracking
            mod state state INVALID DROP;
            mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
        }
    }
}

# Local rules
@include ferm.d/;
```

* `sudo vim /etc/ferm/ferm.d/00-docker.ferm`
```
# /etc/ferm/ferm.d/00-docker.ferm

domain (ip ip6) {
    table filter {
        chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve;
    }

    table nat {
        chain (DOCKER DOCKER-INGRESS PREROUTING OUTPUT POSTROUTING) @preserve;
    }
}

```

* `sudo vim /etc/ferm/ferm.d/20-in.ssh.ferm`
* **is in default, not necessary**
```
domain (ip ip6) {
    table filter chain INPUT proto tcp dport 22 ACCEPT;
}
```

* `sudo vim /etc/ferm/ferm.d/20-in.docker.nginx.ferm`
```
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (80 443)

    ACCEPT;
}
```

* `sudo vim /etc/ferm/ferm.d/20-in.docker.mailcow.ferm`
```
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (25 465 587 143 993 110 995 4190)

    ACCEPT;
}
```

* `sudo vim /etc/ferm/ferm.d/20-in.docker.ts3.ferm`
```
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (10011 30033)

    ACCEPT;
}

domain (ip ip6) {
    table filter chain DOCKER-USER

    interface eth0 outerface docker_gwbridge

    proto udp dport (9987 9988)

    ACCEPT;
}
```

* `/etc/ferm/ferm.d/99-docker.ferm`
```
domain (ip ip6) table filter chain DOCKER-USER {
    interface eth0 outerface docker_gwbridge {
        mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
        DROP;
    }
    RETURN;
}
```

* edit /etc/default/ferm to enable it
* sudo systemctl enable ferm