Last active
March 12, 2020 12:43
-
-
Save egerlach/d31398231b7e0e727adbc994926a5286 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This configuration file will allow all requests originating from the | |
| # local machine to be send through all network interfaces. | |
| # | |
| # The only requests allowed from the outside world are http, https, ssh, | |
| # and icmp. Other than that, the host will be completely stealthed! It | |
| # will not respond to anything, though it will be pingable as a server | |
| # should be. | |
| # | |
| # Then we have the configuration for the docker interfaces. The docker0 | |
| # interface allows all packets on it. | |
| # | |
| # We also set up two routers: | |
| # 1. Routes connections from docker containers to the internet via NAT | |
| # 2. Routes connections between docker containers | |
| # | |
| # Then there's manual iptables commands for setting up the docker-required | |
| # chains. I honestly don't know why those need to be there yet. | |
| version 6 | |
| ipv6 interface any v6interop proto icmpv6 | |
| client ipv6neigh accept | |
| server ipv6neigh accept | |
| policy return | |
| interface eth0 world | |
| policy drop | |
| server "dhcp http https ssh icmp" accept | |
| client all accept | |
| interface docker0 docker | |
| policy accept | |
| router docker2internet inface docker0 outface eth0 | |
| masquerade | |
| route all accept | |
| router docker2docker inface docker0 outface docker0 | |
| policy accept | |
| route all accept | |
| iptables -N DOCKER | |
| iptables -N DOCKER-ISOLATION | |
| iptables -A FORWARD -j DOCKER-ISOLATION | |
| iptables -A FORWARD -o docker0 -j DOCKER | |
| iptables -A DOCKER-ISOLATION -j RETURN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment