docker iptables

docker-iptables.sh

#!/usr/bin/env bash
# Usage:
# timeout 10 docker_iptables.sh
#

# Use the builtin shell timeout utility to prevent infinite loop (see below)
if [ ! -x /usr/bin/docker ]; then
  exit
fi

# Check if the PRE_DOCKER chain exists, if it does there's an existing reference to it.
iptables -C FORWARD -o docker0 -j PRE_DOCKER

if [ $? -eq 0 ]; then
  # Remove reference (will be re-added again later in this script)
  iptables -D FORWARD -o docker0 -j PRE_DOCKER
  # Flush all existing rules
  iptables -F PRE_DOCKER
else
  # Create the PRE_DOCKER chain
  iptables -N PRE_DOCKER

fi

# Default action

iptables -I PRE_DOCKER -j DROP

#закоментировано на будущее
# Docker Containers Public Admin access (insert your IPs here)
#iptables -I PRE_DOCKER -i eth0 -s 192.184.41.144 -j ACCEPT
#iptables -I PRE_DOCKER -i eth0 -s 120.29.76.14 -j ACCEPT
# Docker Containers Restricted LAN Access (insert your LAN IP range or multiple IPs here)
#iptables -I PRE_DOCKER -i eth1 -s 192.168.1.101 -j ACCEPT
#iptables -I PRE_DOCKER -i eth1 -s 192.168.1.102 -j ACCEPT
# Docker internal use
iptables -I PRE_DOCKER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I PRE_DOCKER -i docker0 ! -o docker0 -j ACCEPT
iptables -I PRE_DOCKER -m state --state RELATED -j ACCEPT
iptables -I PRE_DOCKER -i docker0 -o docker0 -j ACCEPT

#правим по необходимости

# Insert web server container filter rules

iptables -I PRE_DOCKER -p tcp --dport 80 -j ACCEPT
iptables -I PRE_DOCKER -p tcp --dport 443 -j ACCEPT
iptables -I PRE_DOCKER -s 84.11.23.33 -p tcp --dport 3306 -j ACCEPT
# Finally insert the PRE_DOCKER table before the DOCKER table in the FORWARD chain.

iptables -I FORWARD -o docker0 -j PRE_DOCKER

Добавляем запуск скрипта ПОСЛЕ запуска докера в /usr/lib/systemd/system/docker.service :
ExecStartPost=/root/bin/docker_rule.sh >/dev/null
Выполняем:
systemctl daemon-reload
перечитываем правила, перезапускаем докер
# iptables-restore < /etc/sysconfig/iptables
# service docker restart