#Best way to configure Firewall Rules (with firewalld) for Pterodactyl / Docker

I'm in the process of trying to configure our Firewall to keep our server secure after we've setup and configured Pterodactyl, I'm hoping to configure firewalld to allow Docker to manage the opened ports when a new allocation is opened / assigned in Pterodactyl I've opened ports 80 and 443 in the public zone by default as well as 3306, but when starting containers they struggle to connect to internet-based services (but are able to access their respective databases) and show errors, what do I need to do or look into to get this type of (hopefully possible) setup to work?

If this hasn't been posted in the correct place, please let me know if I should post it elsewhere

Docker by default automatically forwards container ports through iptables, so if you're also running firewalld, it can sometimes conflict. In your case you'll most likely want to allow docker to continue to use iptables and configure firewalld to allow docker container traffic through. Typically docker creates its own "docker" zone in firewalld with an Accept target, though you may have to check your own configurations.

For reference I'm just starting off with firewalld / Pterodactyl myself so are there any documents you can point me to in order to assist in properly configuring everything?

Truthfully I've not used firewalld myself (i use ufw), so someone else is better off stepping in to assist you with configuring that.
In theory though the docker zone should've been created automatically which allows wings ports to communicate through it but you may need to check if your existing rules you've setup, that they don't block all traffic and then restart the docker/firewall services thereafter.

The configuration is basically fresh from the defaults it comes with, except for the SSH Port and 80 / 443, etc... so I haven't added anything that should block connections by default, but I'll wait for another person who's more experienced with firewalld, as you suggested.

If anything i'd recommend disabling firewalld temporarily and see if things function correctly without it, so you'll at least know where you can start troubleshooting in the future.

I've tested it with the Firewall Disabled, and it works fine, so it's a problem with firewalld

firewall-cmd --zone=docker --list-all should show you all the current rules within the docker zone, do these match your running containers within pterodactyl?

This is what is currently shows:

  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: docker0 pterodactyl0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: ```

Well it's set to accept, looks correct. Have you tried reloading firewalld? firewall-cmd --reload

Yes, I have

restart docker as well

It's been restarted now, but there isn't any difference, unfortunately

Well, perhaps you can find a solution within pterodactyl's additional troubleshooting guides:
https://pterodactyl.io/panel/1.0/troubleshooting.html

https://pterodactyl.io/panel/1.0/troubleshooting.html#firewalld-issues

Following these steps stops wings from loading because pterodactyl0 is already in the Trusted Zone:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-working_with_zones

If adding it to trusted caused an issue, then in theory removing it and reloading should reverse the above. That being said, again i want to reiterate that i don't work with firewalld, so do so at your own risk.

firewall-cmd --permanent --zone=trusted --remove-interface=pterodactyl0 && 
systemctl restart firewalld && 
firewall-cmd --list-all --zone=trusted

Please explain the issue you're experiencing in as much detail as possible. Preferably with error messages in a text format or paste link to logs. Nobody can assist you without information that helps to understand the issue. Help us help you. Messages such as "doesn't work" or "i need help" will most likely be ignored.

#wings-help message

It hasn't helped, unfortunately

I've exported the Pterodactyl Wings Diganostics Report: https://ptero.co/limigiqazi

I have found the following for: https://ptero.co/limigiqazi
You already have an instance of Wings running through systemd service and are trying to start another duplicate instance, for example by using the commands wings and wings --debug, or another service is using the port.

Use ss -plnt | grep :8080 (or grep :8443 depending on the port) to find what process is currently running and stop it. You can type killall wings to shutdown any ghost Wings process.

For reference, this isn't applicable to the problem ^

Well it is present in your logs, you do have something already bound to 8443

Yes, it was from earlier when I was running the wings diagnostics

Are you able to query the container and the external services you're trying to connect to?

What commands to do I need to run to query the container and external services?

I just meant are you able to connect to these services manually outside of pterodactyl. Have you also opened 8443 in the public zone as well?

Yes, they ping from the server that Pterodactyl is hosted on, and Port 8443 is opened in the public zone as a TCP Port