John Siu Blog

Tech - Business Tool, Personal Toys

Docker and IPtables

☰ Table of Content

Using iptables on docker host.


Issue : Docker Iptables Punch Through

Lets take following example:

  • A docker email container with port 25 and 587 (`-p 25:25 -p 587:587)

  • A docker web server container with port 80 and 443 (`-p 80:80 -p 443:443)

  • Iptables rules setup to block traffic from 10.10.10.0/24 to port 25, 587, 80, 443:

    /etc/iptables/rules.v4

    1
    2
    
    -A -s 10.10.10.0/24 -p tcp -m multiport --dports 25,587 -j DROP
    -A -s 10.10.10.0/24 -p tcp -m multiport --dports 80,443 -j DROP
    

But 10.10.10.0/24 traffic will bypass the above two rules and reach the email and web containers. That is because docker is using its own chain for routing traffic for its containers.


Fix : Custom Chain and DOCKER-USER

Docker does provide a specific chain, DOCKER-USER, for us to setup custom rules that need to be applied to container traffic.

To reduce effort applying rules to both default INPUT chain and DOCKER-USER chain, we will create our own chain and append it to them.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
*filter

# Create custom chain
-N my_chain
# Create docker chain
-N DOCKER-USER

# Custom chain
-A my_chain -s 10.10.10.0/24 -p tcp -m multiport --dports 25,587 -j DROP
-A my_chain -s 10.10.10.0/24 -p tcp -m multiport --dports 80,443 -j DROP

-A INPUT -j my_chain
-A DOCKER-USER -j my_chain

COMMIT

As shown above, we will always add our rules to my_chain, and it will be automatically applied to both INPUT and DOCKER-USER.


Reference: Docker and IPTables

John Siu

Update: 2020-08-28
comments powered by Disqus