-
Notifications
You must be signed in to change notification settings - Fork 18.9k
Description
On my server, I want to configure the exposed ports of my containers to only be accessible for a few ip addresses. I want to make this restrictition using netfilter and iptables.
On the documentation you say the following
Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.
As far as I've tested everything, if I precreate a DOCKER chain in my filter table, and add a rule (such as the negated rule given in example in your documentation), as soon as I restart the docker daemon, the rule is removed from the chain, and my rule is replaced with dockers' specific rules.
service docker stop
#Reset your iptables
#...
iptables -N DOCKER
iptables -A DOCKER ! -s x.x.x.x -j DROP
iptables -L DOCKER
# Docker rule is added
# Now restart docker
service docker start
ps aux | grep docker
# docker started with '/usr/bin/docker daemon -H fd://'
iptables -L DOCKER
# Only container specific rules, my rule doesn't exist anymoreI can see either two mistakes.
Either the documentation isn't uptodate, and Docker used to keep pre-existing rules, but doesn't anymore. Or Docker isn't keeping them as it should.
I'm using docker v1.11.2
$ docker version
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:54:25 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:54:25 2016
OS/Arch: linux/amd64