Skip to content

Instantly share code, notes, and snippets.

@x-yuri

x-yuri/1.txt Secret

Last active May 13, 2022
Embed
What would you like to do?
docker 18.09.6 basic iptables rules with comments
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:DOCKER -
# (nat.1)
# when receiving a connection targeting a local address
# from the outside world to 1.1.1.1,
# or from a container to 172.17.0.1, 1.1.1.1
# jump to the DOCKER chain
-A PREROUTING -m addrtype --dst-type LOCAL
-j DOCKER
# (nat.2)
# when establishing a connection from the host
# to a local address (1.1.1.1, 172.17.0.1),
# jump to the DOCKER chain
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype
--dst-type LOCAL -j DOCKER
# (nat.3)
# when receiving a connection
# from a container to the outside world,
# or establishing from the host to 172.17.0.1
# do SNAT
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0
-j MASQUERADE
# (nat.4)
# return if connection is coming from a container
-A DOCKER -i docker0 -j RETURN
# here we're left with connections coming from the outside world to 1.1.1.1,
# and from the host to 1.1.1.1, 172.17.0.1
# and here's where DNAT rules will be added
*filter
:INPUT ACCEPT
:FORWARD DROP # DROP policy
:OUTPUT ACCEPT
:DOCKER -
:DOCKER-ISOLATION-STAGE-1 -
:DOCKER-ISOLATION-STAGE-2 -
:DOCKER-USER -
# (filter.1)
-A FORWARD -j DOCKER-USER
# (filter.2)
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
# (filter.3)
# accept established and related connections
# to a container
# from the outside world (in case they are forwarded, none by default),
# or from another container
-A FORWARD -o docker0 -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT
# (filter.4)
# jump to the DOCKER chain
# for packets coming
# to a container
# from the outside world
# or from another container
-A FORWARD -o docker0 -j DOCKER
# (filter.5)
# accept packets coming
# from a container
# to the outside world
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
# (filter.6)
# accept packets between containers
-A FORWARD -i docker0 -o docker0 -j ACCEPT
# (filter.7)
# jump to DOCKER-ISOLATION-STAGE-2
# for packets coming
# from a container
# to the outside world
-A DOCKER-ISOLATION-STAGE-1 -i docker0
! -o docker0 -j DOCKER-ISOLATION-STAGE-2
# (filter.8)
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
# (filter.9)
# drop packets coming
# to a container
# from the outside world,
# or from another container
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
# (filter.10)
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
# (filter.11)
# placeholder for user rules
# https://docs.docker.com/network/iptables/
-A DOCKER-USER -j RETURN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment