docker-fw.sh

#!/bin/bash

iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

# Docker
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

iptables -N DOCKER
iptables -A FORWARD -o docker0 -j DOCKER
iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT

# Docker Interception (note we use -I to insert the PRE_DOCKER chain above the DOCKER chain)
iptables -N PRE_DOCKER
iptables -I FORWARD -o docker0 -j PRE_DOCKER

## Limit access to port 8000 so that only 1.2.3.4 can access it
iptables -A PRE_DOCKER -s 1.2.3.4 -p tcp --dport 8000 -j ACCEPT
iptables -A PRE_DOCKER -p tcp --dport 8000 -j DROP