Shorewall+Docker: Two Great Tastes That Taste Great Together

Matt Palmer November 23, 2015

As has been mentioned previously, we lurve us some Docker here at Discourse. We also lurve us some security, and I’ve recently been replacing our “artisinally handcrafted iptables firewall rules” with a Shorewall-managed configuration, which plays better with Puppet.  Unfortunately, as it stands, like my twin three year olds, they don’t always play together well.

Both Docker and Shorewall assume that nobody else is actively messing with the firewall configuration.  Shorewall assumes this because it likes to completely blow away the existing firewall configuration, and replace it with a set of rules crafted from your rules files.  Docker inserts NAT rules to implement its port forwarding system, amongst other things.  Both make sense in isolation, but when you combine the two behaviours… FWACKOOM.


Every time you reload your Shorewall ruleset, all your Docker containers stop receiving traffic.  Restarting Docker fixes it, but who wants to do that on a large-scale production infrastructure?  Not me.

Luckily, Shorewall, being the awesome system that it is, has plenty of hook points (or, as it calls them, extension scripts) you can use to do funky, custom things.  Such as, in this case, saving the existing Docker-related firewall rules before blowing away the firewall, and restoring them afterwards.  Thanks to Docker’s decision to confine most of its rules to a special chain, named DOCKER, this is quite straightforward.

There are three hooks you need to create, all in the same path.

/etc/shorewall/init and /etc/shorewall/stop have the same contents:

if iptables -t nat -L DOCKER >/dev/null 2>&1; then
    echo '*nat' >/etc/shorewall/docker_rules
    iptables -t nat -S DOCKER >>/etc/shorewall/docker_rules
    iptables -t nat -S POSTROUTING >>/etc/shorewall/docker_rules
    echo "COMMIT" >>/etc/shorewall/docker_rules

    echo '*filter' >>/etc/shorewall/docker_rules
    iptables -S DOCKER >> /etc/shorewall/docker_rules
    echo "COMMIT" >>/etc/shorewall/docker_rules

/etc/shorewall/start looks like this:

if [ -f /etc/shorewall/docker_rules ]; then
    iptables-restore -n </etc/shorewall/docker_rules
    run_iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    run_iptables -t nat -I OUTPUT ! -d -m addrtype --dst-type LOCAL -j DOCKER
    run_iptables -I FORWARD -o docker0 -j DOCKER
    run_iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    run_iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
    run_iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT

    rm -f /etc/shorewall/docker_rules

Once you’ve created those three files, with the above contents, when you run shorewall start or shorewall restart, your firewall will be restarted, with all your Shorewall-defined rules, and your Docker rules, all in place.

1 Reply

Our New Datacenter Cabinet

Jeff Atwood November 12, 2015

As Discourse grows, we’re adding more server capacity and newer servers to make sure our hosting remains blazing fast.

We have one server cabinet at Hurricane Electric, which we have been very happy with, and we just upgraded our account to add another full 42U server cabinet and another gigabit internet connection.



Cables, as always, are color-coded:

IPMI VPN, private local intra-server network, switch cross connect, cabinet cross connect

Right now it’s a partially populated cabinet, just our standard Cisco 2960X switch (and an inexpensive netgear switch dedicated to the private IPMI management connections), and seven of our new, faster, Skylake based 1U servers for internal testing. This also lets us exercise our cross-cabinet connection muscles, so if we need to add 3, 4 or even more cabinets to support our future customers, we’ll be ready.

Colocation isn’t our only plan. We’ve also been pushing for more of a hybrid cloud arrangement, where …

  1. Free trials can be deployed to the cloud for potential customers, and then migrated to our super fast hosted infrastructure when the trial converts.
  2. Enterprise customers who are uncomfortable with our single datacenter can have a backup cloud instance on hot standby that we can automatically switch to in the event that something happens to the datacenter.

The first item is particularly exciting since it would let us scale up our free trials and offer Discourse to many more people at lower cost.

Here’s to an even faster Discourse hosting plan in 2016! Stay tuned!

Leave a reply

Discourse 1.4 Released!

Jeff Atwood September 22, 2015

It looks like we’re on a solid cadence to deliver a new version of Discourse about every 4 months:

And you know what that means … Discourse 1.4 ships today!

The focus of this release was UI improvements and enhancements, as requested by our customers and active Discourse communities.

Better Dark Theme Support

Dark themes worked in earlier versions of Discourse – if you were willing to roll your sleeves up and augment the color selections with some hand rolled CSS. But in 1.4 we switched Meta over to a dark color theme for a week and made sure it worked flawlessly throughout Discourse.

Improved, Simpler UI

We’re always looking for ways to further simplify the Discourse UI, so in this release, we’ve done the following:

  • Moved like count inline with the reply buttons, so topics with lots of likes are not so vertically expanded.
  • Unified the notifications and user drop down at upper right, so there’s one less glyph at the upper right to make you think.
  • Overhauled and enhanced the hamburger menu and notifications
  • Introduced subtler styling for staff actions in topics, so the conversations are not so visually interrupted when a staff member does something to the topic.
  • Added subtle interstitial posts to better indicate big gaps in ongoing conversations (“two weeks later..”)

Full Page Search

We’ve further refined search in 1.4, going beyond the just-in-time search as you type, and adding a whole new “full page” search mode that lets you narrow your searches in new ways and see more results, with more detail. You can also link directly to a Discourse search now:

Image upload improvements

We now provide more editor feedback during image uploads (which as always, you can add via paste, drag and drop, or the upload button) and offer better optimized images for reduced bandwidth and storage.

On top of that, we now serve default Discourse avatars via, a completely free, CDN based hosting service for our default “letter” avatars that further reduces CPU load and disk space on your Discourse server, while adding the benefits of global caching.

Easier Category Ordering

There’s now a proper UI for re-ordering your categories, rather than the old method of assigning each one a number.

Mobile Layout Simplified

We thought our mobile layout was a bit busier than it should be, so we simplified it. Note that “new” is just a dot on mobile, and we display either the unread reply count, or the total reply count rather than both.

Anonymous User Call to Signup

We welcomed back Kane York aka riking for a summer internship this year and he did amazing work as usual. One of the features he suggested himself, and then built, is this nifty call to action for anonymous users – after reading the site for 5 minutes and entering at least 3 topics, anonymous users will be presented with a little banner at the bottom of topics inviting them to sign up and create an account! This is exactly the kind of just-in-time action we love to build in Discourse.

Topic Whispers

We now offer a “whisper” feature for posting inline topic replies that are only visible to staff. Enable the feature in your site settings, then use the gear icon in the post editor to indicate when you want to whisper to the other staff members in the topic.

Improved Embedding

We’ve had the ability to embed Discourse (in a read only fashion) in static HTML pages for a while now, but in 1.4 our embedding support is greatly improved – you can style the embedded section via Admin, Customize and you can embed per category, if you want several blogs or sites to feed into the same Discourse instance.

Better Performance

We upgraded to Ember 1.12 for improved performance, and spent some time optimizing the user page as well, which was a little pokier than we would have liked. (We also noticed that Discourse is 10% faster under Mobile Safari in iOS 9 in our benchmarks, and going from Android Chrome 42 to 45 will improve performance 30%, so we’ll take credit for those JavaScript performance enhancements, too.)

And so much more

These are just the major highlights in 1.4 — there are literally hundreds of other tiny improvements, refinements, and bugfixes in 1.4 that we aren’t covering here, but are in the full release notes.

Easy One Click Upgrade

If you want some of this new awesome 1.4 stuff, and I know you do, upgrade your Discourse instance today via our super easy one click admin updater linked right from your dashboard:

Thank You

As usual, we’d like to first thank our customers for your support, and the overall Discourse community for their many contributions toward this release — whether it was in pull requests, feedback on meta.discourse, or our personal favorite, feedback based on user activity in your own Discourse instance. In particular, we’d like to highlight significant pull request contributions in this release from tgxworld, Simon Cossar, gwwar, and gerhard.

Yet again, avid meta.discourse user erlendsh created the super cool feature demo videos and screenshots that you see above.

For insight into what’s coming up in future releases of Discourse, keep an eye on the releases category at meta discourse. If you don’t have Discourse, install it yourself in under 30 minutes, or get a free 14 day hosting trial!

14 Replies